PAGE  40 


Compass  Awards:  Business  Alignment  Leaders 


CSO  Hemanshu  Niga 
culture,  commerce  an 
safe  for  150  million  me 

By  Sarah  D.  Scalet  PAGE  24 


March  2007  $9.00  www.csoonline.com 


THE  RESOURCE  FOR 


BANK  ON  IT 

World  View: 

U.K.  trumps  U.S.  in 
online  security 

PAGE  18 


HOCKEY  FIGHT 

How  to  avoid 
trade  secret  theft 
lawsuits 

PAGE  34 


W\ 

m 


r 


&  Travel:  Airfares,  hotels,  vacations,  cruises,  car  rentals  and  more  at  Traveloi 


://wwvv.travek>city.com/ 


travelocity 


Identified  by  VeriSign  ▼ 


&  #  Travel:  Airfares,  hotels,  vacations,  cruises,  car  rent... 


* 

*  travelocity 


Track  fares  to  your  fav 


VeriSign 

Secured 


Introducing  the  biggest  advancement  to 
Internet  security  in  the  last  ten  years 

With  new  VeriSign  Extended  Validation  SSL  Certificates 
and  today’s  high-security  browsers,  the  address  bar 
turns  green,  giving  your  customers  immediate  assurance 
that  your  Web  site  is  secure.  The  browser  also  displays 
your  company  name  and  the  issuing  Certificate  Authority, 
making  it  more  important  than  ever  to  choose  VeriSign— 
the  most  trusted  symbol  of  security  on  the  Web. 

a  Download  a  free  white  paper  on  Extended  Validation  SSL 

“  at  www.verisign.com/dm/evwp  or  call  1-866-893-6565. 


r?>2007  VeriSign.  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  checkmark  circle,  and  other 
trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc., 
and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


Vol.  6,  No.  3 


“MySpace  got  hit 
with  the  worst 


kind  of  thing,  and 
that’s  predators, 
but  it  got  hit  at 


ALSO  IN  THIS  ISSUE 


AVIAN  INFLUENZA 
CONTROL  MEASURE 

YOU  ARE  ENTERING  A 
PROTECTION  ZONE 


Alt  ENOUiftiES  OEFRA  HELPLINE  0845  9335577 
OR 

SUFFOLK  COUNTY  COUNCIL  08458  032814 

.,4"  *,+  l  *■.  f  J*'  J  '  8 

.  .  iri+r*** 


11  Briefing 

Trouble  over  rainbow  tables;  Pandemic 
checklist;  Counterfeit  busts;  Mexican  bank 
deploys  biometrics  for  the  masses;  Getting 
people  to  listen  to  alarms;  Interview  with  a 
hacker  who  publicized  a  vulnerability  and 
found  himself  in  court 

18  Differences  You  Can  Bank  On 

WORLD  VIEW  Observations  from  a  multi¬ 
continental  banking  customer. 

By  Paul  Raines 


24  cover  story  Mr.  Safety 

SOCIAL  MEDIA  Can  Hemanshu  Nigam  make  MySpace  a  safe 
neighborhood— without  also  making  it  an  empty  one? 

By  Sarah  D.  Scalet 


20  Say,  Can  You  See? 

MACHINE  SHOP  Visualization  tools  can 
help  ferret  out  security  problems,  but  the 
technology  has  a  long  way  to  go.  By  Simson 
Garfinkel 


34  How  to  Stay  Out  of  the  Penalty  Box 


48  Debriefing 


INVESTIGATIONS  An  acrimonious  court  case  between  two 
athletic  gear  companies  provides  strategies  for  discouraging 
intellectual  property  theft— and  dealing  with  accusations 
when  they  arise.  By  Scott  Berinato 

40  In  Sync 

ALIGNMENT  This  year’s  CSO  Compass  Award  honorees  have 
achieved  alignment  of  security  and  business  goals,  through 
advocacy,  active  engagement  and,  in  some  cases,  a  sense  of 
humor.  By  Daintry  Duffy  and  Sarah  D.  Scalet 


Hasty  Etymologies 

2  CSOonline.com 
!■  From  the  Editor 
( !  From  the  Publisher 
8  Letters 
Hi  Index 


COVER  PHOTO  BY  DANIEL  HENNESSEY 


March  2007  www.csoonline.com  1 


The  Psychology  of  Security 

bruce  schneier  once  mocked  efforts 
to  make  people  feel  safe,  calling  such 
projects  “security  theater.”  Well,  he’s 
changed  his  mind  after  further  study. 
Listen  to  our  interview  with  the  expert 
and  author  of  beyond  fear  discussing 
his  views.  csoonline.com/podcasts 


V  .v  . 


OVERLY 


ADAMS 


MCMILLAN 


NEW  BLOGGERS 

A  Legal  View 

MICHAEL  R.  OVERLY  is  both  a  lawyer  and  an 
information  security  expert.  See  OVERLY  ON 
SECURITY  for  his  ideas  on  issues  such  as  how 
to  minimize  legal  threats  from  insiders  and  the 
need  for  employee  training. 
http://blogs.csoonline.com/blog/michaeloverly 

Inside  the  Industry 

ED  ADAMS  is  a  veteran  IT  security  and 
quality  assurance  executive  who  shares  his 
views  on  industry  happenings  in  SECURITY 
CURMUDGEON. 

http://blogs.csoonline.com/blog/ed_adams 

Over  Easy 

Veteran  security  journalists  ROBERT  MCMILLAN 
and  SHAWNA  MCALEARNEY  offer  their  off-the- 
beaten-path  insights  and  observations  about 
current  events  and  the  security  industry. 

Keep  up  with  SECURITY  BLANKET  to  read 
what  they  uncover  next. 

http://blogs.csoonline.com/blog/securityblanket 


McALEARNEY 


“Aloha.  Here  in  Hawaii  we  have 
seen  a  rise  in  copper  theft.  Imagine, 
copper  being  stolen  in  paradise.” 

-GARY  KAHN,  CISO,  TERRITORIAL  SAVINGS  BANK,  COMMENTING  ON 
“THE  METAL  THEFT  EPIDEMIC,”  WWW.CSOONLINE.COM/READ/020W7 


2  www.csoonline.com  March  2007 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Derek  Slater 
Managing  Editor 
Michael  Goldberg 
Senior  Editors 

Scott  Berinato,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Assistant  Managing  Editor 
Emily  S.  Henderson 
Senior  Copy  Editor 
Cathy  Mallen 
Copy  Editor 
Susan  Bryant-Still 
Research  Specialist  and  Reporter 
Margaret  Locher 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Daintry  Duffy,  Deb  Radcliff, 

Paul  Raines 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director 

Chandra  Tallman 

RESEARCH 

Research  Manager 
Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 

Christopher  Lindquist 
Senior  Online  Editors 
Sandy  Kendall,  Meridith  Levinson, 
Shawna  McAlearney, 

Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 

Online  News  Writer  Al  Sacco 
Online  Copy  Editor  David  Gradijan 

INFORMATION  SYSTEMS 

IDG  Director  of  Information 
Services  Nancy  Newkirk 
IT  Manager  Sean  McCracken 
Senior  User  Support  Specialist 
Christopher  A.  Kay, 

Thomas  Lupien 
User  Services  Specialist 
Gloria  Lam 

Senior  Web  Developer 

David  Cohen 

Web  Developer  Sanghee  Seo 

CXO  MEDIA  /  IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

CXO  \  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 

Bob  Carrigan 


v~BPA 

WORLDWIDE" 


WHAT  IF 

FERTILIZER 

WAS  ONLY  USED 


UZE? 


00 

$Pi  | 


It's  doubtful  there  would  be  a  national  >>  -  watch  list  of  people  who  purchase 

tOO  much  Of  it.  And  businesses  might  not  need  experts  proficient  in  both  access  control 
and  video  to  develop  truly  integrated  technology.  They  wouldn’t  care  about  ensuring  total 
protection  with  the  brand  that  practically  invented  open  security  standards.  Wouldn’t 
care  about  easily  linking  critical  video  and  access  control  with  the  click  of  the  mouse.  If 
fertilizer  wasn’t  used  for  bombs,  businesses  wouldn’t  need  us  to  make  security  reliable 
and  easy.  Because  it  already  would  be.  The  right  security  for  you  starts  by  completing  a 
short  questionnaire  at  www.tycoforyourworld.com  or  by  calling  888-840-1438. 

SECURITY  FOR  YOUR  WORLD. 


=  AMERICAN 
DYNAMICS 


Software  House 

Access  control  and  video  systems 


KANTECH 


tUCO  j  Fire  & 

/  Security 


****** 


******** 


I 


The  Conversation 


In  between  Godfather  I  and  II,  Francis  Ford  Coppola 
squeezed  out  an  art-house  flick  called  The  Conversation. 
Surveillance  expert  Gene  Hackman  records  a  furtive 


discussion  between  a  man  and  woman  who  are  apparently  under  the  threat 
of  being  murdered  by  their  conniving  boss.  I  won’t  completely  spoil  the 
ending  (though  the  movie’s  been  out  for  30-odd  years)  but  it  turns  out 
Hackman  hasn’t  heard  things  exactly  right. 

This  movie  comes  to  mind  because  of  our  Compass  Awards.  Every  March 
we  recognize  some  of  the  security  profession’s  best  and  brightest.  We  change 
the  theme  a  bit  each  year  to  keep  things  lively  and  also  to  recognize  that 
leadership  comes  in  many  forms.  This  year’s  theme  is  business  alignment, 
and  surely  there  is  no  theme  of  greater  importance  to  CSOs.  Getting  security 
perfectly  synced  up  with  the  strategy,  goals  and  priorities  of  the  business 
historically  has  been  tough  sledding.  So  we  chose  to  recognize  six  CSOs  and 
CISOs  for  showing  the  way  to  business  alignment.  You  can  read  about  their 
strategies  for  alignment  in  “In  Sync,”  starting  on  Page  40.  This  article  is  not 
a  fluff  piece.  We  charged  our  writers  to  think  of  these  short  pieces  less  as 
profiles  and  more  as  how-to  stories. 

Of  course,  “the  business”  means  something  quite  different  at  Nike  than 
it  does  in  the  state  of  Michigan.  Nevertheless,  as  I  read  these  short  write-ups, 
I  am  struck  by  a  common,  simple  theme:  conversation.  Conversation  seems 
to  be  the  number-one  tactic  by  far  that  these  leaders  use  for  connecting  with 
the  business.  Not  accidental  watercooler  chatter,  though  that  can  also  be 
useful,  but  very  intentional  discussion  that  involves  the  security  pro  asking 
questions.  Lisa  Johnson  holds  30-minute  informational  interviews  with 
business  leaders  and  starts  with  the  questions,  “What  services  can  we 
provide?”  and  “How  can  we  add  value  to  the  business?”  Deven  Bhatt  gave 
every  employee  at  ARC  his  personal  cell  number.  In  a  sense,  these  CSOs 
treat  alignment  as  a  sort  of  ongoing  investigation,  much  like  what  Hack¬ 
man’s  character  does  in  the  movie.  Minus  the  weird  mix  of  ennui 
and  paranoia. 

Security  awareness  programs  are  valuable,  and  there’s  a  time  and  place 
for  the  CSO  to  do  the  talking.  But  it  looks  like  the  most  successful  security 


practitioners  put  effort  into  letting  the  business 
educate  them,  rather  than  vice  versa.  Yes,  security 
metrics  are  huge.  Yes,  MBA  training  can  help.  These 
things  only  work  for  CSOs  who  engage  business 
leaders  in  a  running  conversation  to  understand 
their  priorities,  their  goals,  their  business  strategies. 

We’ll  officially  recognize  the  Compass  Award 
honorees  this  month  at  our  conference  at  the  Broad¬ 
moor  in  Colorado  Springs.  The  conference  is  the  high 
point  of  the  year  for  me,  since  I  get  to  shake  hands 
with  the  readers  and  sources  who  make  this  publica¬ 
tion  what  it  is.  And  over  the  three  days  of  the  confer¬ 
ence,  I  aim  to  do  a  lot  more  listening  than  speaking. 
After  all,  that’s  what  makes  CSO  go  round.  Listening 
to  our  readers  on  an  ongoing  basis  is  the  reason  that 
we  have  written  about  business  alignment,  executive 
communications  and  security  convergence  from  our 
very  first  issue  in  2002,  while  others  are  just  coming 
around  to  those  topics  now.  The  challenge  for  us  is 
to  keep  close  to  security  leaders  so  we  can  continue 
to  recognize  and  explore  what  comes  next.  That’s  the 
joy  of  the  CSO  Perspectives  conference  and  also  the 
reason  why  this  column  always  ends  with  my  e-mail 
address. 

Do  the  same  with  your  business  folks— maintain 
the  conversation.  Keep  listening  and  keep  refining 
your  understanding  of  what  the  business  is  really 
about. 

-Derek  Slater 
dslater@cxo.com 


4  www.csoonline.com  March  2007 


PHOTO  BY  WEBB  CHAPPELL 


©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  acknowledged  ...  with  extreme  prejudice.  Illustration  by  Daryl  Mandryl 


We  do  no1 
c 


%  m 


They  want  you  to  spend  months 

installing  security  and  systems  J 

management  in  your 

organization.  And  then  take  days  f 

or  even  weeks  to  protect  less 

than  60%  of  your  systems.  Boy  is 

that  stupid!  Cyberattacks  start 

and  finish  in  minutes,  not  days. 

Whether  you’re  captain  of 
Starship  Enterprise — or  just  an 
enterprise— ask  your  chief 
security 
officer 
how 
long  it 

takes  to  . 
inocu-  f  f  ^gj| 
late  A  R 

and  fjy  AY 

verify  W?  .  V  ▼ 

that  i  jj  ; 

every  SJffiP  % 

computer 
is  secure. 

If  it  takes 

more  than  a  vw*  j  J 

few  minutes,  *,»*•■ 

execute 

somebody.  v 

BFG 

(BigFix  Gun) 
defensive  weaponry 

routinely  protects  hundreds  of  thousands  of  computers  in  minutes,  not  weeks.  Give 
us  3  hours  to  demonstrate  the  projection  of  real  power,  free  to  qualified  enterprises. 
We’ll  train  your  people,  install  a  BFG  behind  your  firewall,  and  then  treat  everyone  to 
lunch.  When  we  get  back,  we’re  betting  you  won’t  let  us  uninstall.  Especially  if  you 
are  a  Symantec/Altiris  customer! 

Schedule  a  demo  via  www.bigfix.com/bfg,  or  call  510-652-6700  xl  16. 

We’ll  also  send  you  a  color  poster  of  this  ad. 


v 

>rW.v  » 


Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


How  Not  to  Handle  a  Crisis 


As  I  sat  in  my  office  throwing  darts  at  the  list  of  topics 
I  could  write  about,  I  glanced  out  my  window  and,  lo 
and  behold,  there  was  this  month  s  topic:  The  TJX  Cos. 


TJX’s  headquarters  is  down  the  street  from  CSO’s  offices  in  Framingham, 
Mass.  Looking  at  the  current  PR  mess  TJX  is  struggling  with,  I’m  struck  by 
how  poorly  many  leading  businesses  deal  with  a  crisis  situation.  This  TJX 
situation  will,  no  doubt,  become  a  great  case  study  in  how  not  to  respond. 

For  those  of  you  who  may  have  missed  the  media  frenzy  around  this,  TJX 
is  the  parent  company  of  a  number  of  major  retailers,  including  T.J.  Maxx, 
Marshalls,  HomeGoods,  Bob’s  Stores  and  A.J.  Wright.  According  to  the 
company’s  initial  statement,  TJX  in  mid-December  discovered  an  unauthor¬ 
ized  intrusion  into  the  computer  systems  that  process  and  store  information 
related  to  its  customer  transactions.  It  appears  that  millions  of  records  could 
be  compromised.  And  further  investigation  has  led  the  company  to  believe 
that  the  intrusions  continued  from  May  2006  to  December  2006.  Then  the 
company,  apparently  at  the  behest  of  law  enforcement,  kept  the  discovery 
under  wraps  until  mid-January  while  it  investigated  the  theft  and  strength¬ 
ened  its  security.  From  where  I  sit,  that  was  a  good  move  because  it  gave  the 
company  time  to  secure  its  systems  and  law  enforcement  time  to  investigate. 
But  to  many  in  the  public,  it  looks  like  a  retailer  sitting  on  bad  PR  until  after 
the  important  holiday  season. 

Where  the  process  broke  down  is  the  way  the  company  responded  to  the 
public’s  concerns— and  it’s  feeling  the  fallout.  TJX  went  public  through  a 
statement  posted  on  its  website.  Executives  met  questions  with  curt  “No 
comments.”  When  the  weight  of  the  media  coverage  really  began  to  hit,  TJX 
took  out  full-page  ads  in  newspapers  explaining  what  had  happened  and 
then  posted  a  video  of  Chairman  Ben  Cammarata  on  its  website. 

Maybe  I  missed  it,  but  I  have  yet  to  see  a  live  person  from  TJX  answer 
questions.  When  asked  if  it  would  offer  credit-monitoring  services  to  those 
customers  who  were  affected,  TJX  refused,  claiming  it  was  not  necessary. 


The  result  here  is  that  TJX  has  come  through  this 
process  sounding  like  an  organization  that  has  some¬ 
thing  to  hide. 

The  results  so  far:  A  number  of  credit  card  fraud 
incidents  resulting  from  stolen  customer  data.  Three 
pending  class-action  lawsuits  from  consumers  and 
from  banks  seeking  reimbursement  for  the  cost  of 
issuing  new  credit  cards  to  their  customers.  A  mod¬ 
est  (not  huge)  hit  to  TJX’s  stock  price. 

And  notably,  in  the  first  days  of  early  Febru¬ 
ary,  there  were  still  trucks  from  various  broadcast 
networks  sitting  outside  the  local  Marshalls  store 
because  they  couldn’t  get  their  vans  on  the  property 
of  TJX  headquarters  to  do  their  live  updates. 

There  are  lots  of  lessons  to  learn  here  and  more 
to  come  as  this  story  continues  to  unfold.  The  most 
important:  TJX’s  failure  to  get  out  in  front  of  the 
problem  and  manage  the  public  communication 
more  effectively  has  allowed  others  to  define  the 
issue  for  them. 

In  a  crisis  you  can  never  let  that  happen.  Every 
business  should  have  a  contingency  plan  in  place 
that  addresses  communications  strategies  for  when 
something  goes  wrong.  Remember  that  no  security 
program  is  perfect,  and  being  able  to  effectively  com¬ 
municate  in  a  crisis,  both  internally  and  externally, 
can  play  a  significant  role  in  determining  how  much 
damage  is  done  to  your  business. 

-Bob  Bragdon,  publisher 
bbragdon  @  cxo.com 


6  www.csoonline.com  March  2007 


PHOTO  BY  CHRISTOPHER  NAVIN 


Oracle  Security 


Does  Your  DBA 

Know  Your  Financial  Results 

Before  Your  CEO? 


Oracle  Database  Vault 


Support  separation  of  duties 
for  compliance 

y/  Keep  data  off-limits  from 
the  DBA 

y/  Enforce  business  rules  on 
data  access 


oracle.com/database/dbvault 
or  call  1.800.0RACLE.1 


Copyright  ©  2006,  Oracle.  All  rights  reserved.  Oracle,  JD  Edwards,  PeopleSoft  and  Siebel  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates. 

Other  names  may  be  trademarks  of  their  respective  owners. 


An  Observation  on  Investigations 

ASA  legal  investigator,  I’ve  been  follow¬ 
ing  the  HP  case  for  months  [“5  Things 
About  Corporate  Investigations  the  HP 
Scandal  Won’t  Change,”  January]. 

I  really  enjoyed  your  recent  well-writ- 
ten  article  and  agree  with  your  rendition 
of  the  real  corporate  world  investigations. 

I  must  add,  however,  that  in  my 
experience  an  attorney  asking  questions 
during  an  interview  will  not  get  the 
same  desired  results  as  a  professional 
investigator.  Attorneys  intimidate,  are 
always  rushed  and  usually  have  less  real 
life  experiences  to  draw  out  information 
from  the  interviewee.  I  guess  I  might  use 
the  analogy  of  the  doctor/nurse  relation¬ 
ship  with  patients.  The  nurse  will  usually 
get  more  information  than  the  doctor 
because  the  patient  always  wants  to  “look 
good”  to  his  doctor. 

JOHN  DUNN 

cso 

Special  Research  Services 

Vulnerability  Culpability 

TO  TRULY  apply  the  legal  precedence 
of  any  sort  of  website  manipulation  (or 
unintended  use  of  a  website)  as  a  crime, 
then  a  website  or  advertiser  using  pop-ups 
is  manipulating  a  user’s  computer  in  a 
user-unintended  way  for  their  fiscal  ben¬ 
efit  [“The  Chilling  Effect,”  January],  That 
sounds  much  more  culpable  than  discov¬ 
ering  vulnerabilities,  which  brings  only 
altruistic  benefits  to  the  “manipulator.” 

JAMES  HATFIELD 

Hea  lthca  re  IT  Man  ager 

Ashland,  Ken. 


IN  YOUR  article,  you 
failed  to  mention  how 
much  Bugtraq  did  to 
promote  responsible 
disclosure.  I  was  previ¬ 
ously  the  VP  of  marketing 
at  Security  Focus  [host  of 
the  Bugtraq  mailing  list, 
now  owned  by  Symantec] 
and  our  database  of  vulnerabilities  were 
what  Mitre  and  lots  of  other  organiza¬ 
tions  built  their  systems  and  designs 
upon.  You  should  have  included  Alfred 
Huger  and  Elias  Levy  (Alephl)  in  your 
article.  Elias  ran  Bugtraq  for  five  years 
and  wrote  the  seminal  paper  on  Buffer 
Overflows.  In  retrospect,  I  think  you  gave 
Steve  Christey  and  Chris  Wysopal  too 
much  credit  for  the  work. 

G.R.  “Chip”  Mesec 

Senior  Product  Ma  rketing  Manager, 

DigitalPersona 

A  View  in  Redmond 

FIRST,  A  disclosure:  I  work  for  Micro¬ 
soft.  But  this  letter  contains  purely  my 
own  views  and  opinions. 

The  claims  in  your  article  [“How  to 
Protect  Mobile  Data,”  November]  that 
Microsoft  Encryption  is  “not  strong,  and 
there  is  no  good  management  option  for 
the  enterprise”  are  a  farce.  The  default 
encryption  algorithm  used  is  AES  256 
Bit  on  XP  SP2  and  Windows  2003,  plus 
through  group  policy  you  can  manage 
the  settings  and  change  the  encryption 
used  to  3DES  or  others.  With  regard  to 
manageability,  group  policy  and  script¬ 
ing  capabilities  allow  for  even  the  largest 
enterprise  to  manage  these  solutions  for 
backups,  data  recovery  and  key  recovery. 

Finally,  the  article  doesn’t  discuss  the 
capabilities  around  protecting  data  in 
a  collaborative  environment,  like  rights 
management  services  where  the  protec¬ 
tion  is  persistent  within  the  file  itself  and 
protects  the  data  even  when  it  is  acci¬ 
dentally  uploaded  to  any  one  of  the  free 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine,  492  Old  Connecticut  Path, 

P.0.  Box  9208,  Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125  Fax:  847  564-9453 
E-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (100  quantity  or  more), 
contact  Jennifer  Eclipse  at  PARS  International  at 
212  221-9595  x237  or  e-mail  jeclipse@parsintl.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by 
the  Computerworld,  infoworid,  Macworld ,  Network 
World,  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technol¬ 
ogy-specific  sites  around  the  world  through  IDG 
.net  ( www.ldg.net ),  a  gateway  to  IDG's  330  websites 
powered  by  more  than  2,000  journalists  reporting 
from  every  continent  in  the  world.  IDG  also  produces 
168  technology-related  conferences  and  events, 
and  research  company  IDC  provides  global  market 
intelligence,  analysis  and  forecasts  in  43  countries. 


HTTPS  file  storage  services.  Data  protec¬ 
tion  needs  to  be  a  multitiered  approach 
that  protects  data  at  rest,  data  in  transit 
and  data  during  collaboration. 

For  the  next  version  of  Windows 
Mobile  we  are  allowing  for  encrypting 
storage  cards  and  we  currently  have 
remote  wipe  capabilities. 

BRIAN  MARRANZINI 


Correction: 

The  story  “How  to  Protect  Mobile  Data” 
in  November’s  issue  of  CSO  incorrectly 
referred  to  the  type  of  encryption  in 
Kingston  Technology  USB  drives.  The 
drives  use  hardware-based  encryption. 


We  want  to  hear  from  you 

TO  RESPOND  to  articles  you’ve  read 
in  CSO,  write  to  us  at  csoletters@cxo.com. 
We  welcome  your  criticism,  thoughts  and 
suggestions. 


8  www.csoonline.com  March  2007 


SPECIAL  ADVERTISING  SUPPLEMENT 


WHAT  EXACTLY  IS  AN  INSIDER  THREAT? 

Most  CIOs  would  agree  that  the  definition  of  "insider 
threat"  must  encompass  any  digital  behavior  that 
poses  a  threat  to  shareholder  value  through: 

•  Direct  financial  loss 


quantifiable  benefits.  Not  surprisingly, 
some  IT  organizations  have  reacted  to  the 
insider  threat  with  a  firewall  mentality:  If 
we  can  stop  external  threats  from  entering 
the  network,  the  thinking  goes,  why  not 


•  Theft  or  impairment  of  intellectual 
property 

•  Compromise  of  customer  data 
leading  to  brand  damage 

•  Lost  productivity  and  misused 
resources 

•  Exposure  to  legal  risk  and  liability 

•  Creation  of  a  hostile  work  environ¬ 
ment 


Dealing  with  the  growing  range 
of  insider  threats  is  daunting. 

Network  complexity,  dissolving 
perimeters,  the  proliferation  of 
alternative  communications  chan¬ 
nels  such  as  instant  messaging  and 
VoIP  and  easy  access  to  removable 
media  all  contribute  to  raise  the 
threat  level. 

Enterprises  cannot  afford  to 

respond  with  anything  less  than  extremely  targeted,  focused  and 
efficient  remediation.  Many  have  responded  with  security  policies 
that  define  accepted  user  behavior,  but  in  many  instances  insider 
breaches  exploit  legitimate  user  access  and  functions. 

The  breadth  and  depth  of  the  trusted  user  threat  requires  pro¬ 
portionally  rich  and  sophisticated  solutions.  Already  stretched  to 
the  limit,  IT  and  security  organizations  must  respond  to  the  specific 
problem  with  tailored  remediation,  not  generalized  reactions — 
because  no  business  wants  to  arbitrarily  clamp  down  on  legitimate 

transmission  of  information. 


i  k 


implement  solutions  that  prevent  informa¬ 
tion  from  exiting  the  network? 

These  types  of  solutions,  commonly 
referred  to  as  "content  monitoring  and  fil¬ 
tering"  or  "information  leak  prevention" 
products,  address  only  one  vector  of  insid¬ 
er  threats — outbound  data  streams,  mostly 
e-mail— and  can  only  block  data  or  alert 
you  that  it  has  been  transmitted.  What's 
generally  missing  from  these  solutions  is: 


•  Detection  of  non-e-mail  activities,  such 
as  copying  files  to  removable  media, 
printer  output,  and  DVD/CD-burning 

•  Visibility  into  encrypted  transmissions 
and  transactions 

•  Monitoring  off-network  and  offline  user 
activity,  particularly  in  mobile  users 

•  Ability  to  detect  and  prevent  deliberately 
obfuscated  multi-vector  behaviors 

•  Situational  context  for  each  incident,  to 
minimize  false  positives  and  false  nega¬ 
tives 


SPECIAL  ADVERTISING  SUPPLEMENT 


Companies  need  to  be  able  to  detect  and  respond  to  the  full 
range  of  threatening  behaviors.  The  challenge  is  to  implement 
systems  that  are  constantly  vigilant  and  that  can  analyze  traffic, 
content  and  behavior  in  context  to  determine  whether  it  is  nefar¬ 
ious,  serves  a  legitimate  business  purpose,  or  falls  into  the  myri¬ 
ad  of  activities  in  between  that  are  on  the  margin  of  acceptable 
behavior. 

A  solution  that  provides  visibility  into  behaviors  in  context 
provides  security  professionals  with  the  ability  to  respond  appro¬ 
priately  with  policies  or  practices  for  near-term  remediation  or 
long-term  prevention  without  impeding  business. 

APPROPRIATE  RESPONSES 

Most  companies  would  be  horrified  to  discover  what  percent¬ 
age  of  their  daily  activity  involves  non-business  related  activities 
such  as  online  shopping,  stock  trading,  and  travel  planning.  As 
headcount  is  nearly  always  the  largest  corporate  expense,  the 
impact  on  profit  margins  from  lost  productivity  can  be  substan¬ 
tial.  Pornography— much  of  which  easily  bypasses  most  URL  fil¬ 
tering  solutions — can  become  a  significant  legal  liability  if 
exposed  inappropriately  or  accidentally. 

Employee  behavior  at  the  margin  of  acceptability,  or  even 
activities  that  appear  threatening  but  are  in  fact  legitimate— are 
almost  impossible  for  automated  systems  to  detect  without  gen¬ 
eration  of  false  positives  that  disrupt  business  activity. 

Truly  contextual  activities  such  as  internal  harassment, 
protest,  and  snooping  are  nearly  impossible  to  detect,  much  less 
prove,  with  conventional  solutions.  And  detection  of  truly  mali¬ 
cious  actions  requires  sophisticated  detection  and  generation  of 
forensic  evidence  that  can  withstand  legal  review  in  support  of 
termination  or  prosecution. 

Enterprises  need  to  attack  the  root  cause  of  the  insider  threat 
itself— user  behavior— and  look  at  content  only  as  a  symptom. 
Only  by  moving  beyond  the  reverse  firewall  mentality — and  into 
the  actual  root  cause  of  threatening  behavior — can  organizations 
achieve  the  contextual  visibility  required  to  mitigate  insider 
threats  and  truly  optimize  business  processes  and  procedures. 

-  ■  '  •  •  ''  '  ■'  *'  " 

TAKE  ACTION  ON  YOUR 
INSIDER  THREAT  ISSUES  TODAY! 

•  Download  the  whitepaper:  Why  Content  Filtering  and 
Information  Leak  Prevention  Solutions  Don't  Stop 
Insider  Threats 

•  Setup  a  "Total  Behavioral  Visibility"  Insider  Threat 
Assessment 

Register  for  both  at  www.oakleynetworks.com/CSO 

or  call  toll-free  1-800-662-9120. 


OAKLEY  DELIVERS 
BEHAVIORAL  VISIBILITY 
Oakley  Networks,  building  on  a  foundation 
of  technology  developed  for  the  government, 
today  delivers  an  integrated  solution  that 
addresses  the  entire  spectrum  of  threatening 
insider  behavior: 

•  Protection  from  the  network  edge  to  the 
desktop 

•  DVR-like  incident 
replay  for  forensics 
and  investigation 

•  Detecting  incidents 
even  where  all  traf¬ 
fic  is  encrypted 

•  Capturing  incidents 
that  take  place 
when  a  device  is 
not  connected  to 
the  network 

•  Allowing  anyone, 
even  non-technical 
staff,  to  immedi¬ 
ately  identify 
threats  or  unproductive  behavior 

•  Immediately  identifying  the  desktops  most 
at  risk,  and  automatically  deploying  soft¬ 
ware  to  detect  more  threatening  behavior 

SUMMARY 

Insider  behavior — whether  unintended  or 
malicious — can  carry  serious  business  risks. 

In  today's  complex  network  environment, 
simple  content  monitoring  and  filtering  does 
not  provide  the  context  necessary  to  assess, 
discover  and  detect  threatening  behavior  by 
trusted  insiders.  It  also  lacks  advanced  foren¬ 
sics  capabilities,  such  as  capture  and  play¬ 
back  of  incidents.  Only  Oakley  delivers  the 
combination  of  technologies  required  to  give 
network  managers  and  security  professionals 
the  visibility  they  need  to  respond  to  a  range 
of  threats  with  an  efficient  range  of  remedia¬ 
tion.  The  Oakley  solution  helps  you  prevent 
insider  threats,  implement  effective  security 
policies,  improve  employee  training,  and  tar¬ 
get  high-risk  behavior. :: 


ncincuiauvi  i 


Erroneous  .  ‘Training 

Disclosure  '  ‘Education 

Hostile  .  ‘Discipline 

Environment '  ‘Termination 

•Coaching 
•Discipline 

•Coaching 
•Counseling 


Privilege 

Abuse 

Employee 

Morale 


Lost 
t  Productivity 


•Training 

•Awareness 


Insider  Behaviors 


Total  Behavioral 
Visibility  allows  for  laser- 
focused  response  to 
all  threat  incidents. 


OAKLGY  CSO 


The  Business  Case  for  Security 

How  to  Plan,  Deliver,  Measure  and  Communicate 


Join  us  at  The  Broadmoor,  Colorado  Springs,  CO, 
March  18  -  20, 200T  and  learn  from  the  best  in  the 
business  about  the  process  of  building  the  business 
case  for  security. 

CSO  Perspectives  offers  security  executives 
unparalleled  access  to  many  of  the  world’s 
leading  experts  in  security  and  risk  management. 


Platinum  Silver 

Sponsor:  Sponsors: 


Don’t  miss  the  Pre-Conference 
Critical  Incident  Table  Top 
Exercise  on  Sunday,  March  18th 


•  1 1 1 1 1 1 1  •  0 

Program  Highlights:  cisco.  ou^labs  ©vontu 

Opening  Keynote:  Security  in  an  Uncertain  World 

L.  Paul  Bremer,  Ambassador,  Author  of  My  Year  in  Iraq:  The  Struggle  to  Build  a  Future  of  Hope 

Closing  Keynote:  How  Do  You  Know  When  It’s  Working? 

William  Wipprecht  ,  Executive  Vice  President  and  CSO,  Wells  Fargo  &  Company 

Additional  speakers  include: 

Mark  Connelly,  Vice  President  and  CISO,  Sun  Microsystems 
Steven  Davis,  Chief  Architect  and  Vice  President,  Walt  Disney  Studios 
Dan  Lohrmann,  CISO,  State  of  Michigan 
Audrey  Pantas,  CISO,  Xerox  Corporation 


For  more  information  and  to  register  visit  www.csoonline.com/csop_2007  or  call  800-366-0246 

,  i 


IMPROVE  YOUR 
PROFESSIONAL  SKILLS 
(ADVANCE  TO 


Exam  Registration  Deadline:  11  April  2007 
Exam  Date:  9  June  2007 

Certified  Information  Systems  Auditor'" 

www.  isaca.  org/csomag 

CERTIFIED  INFORMATION^  f 
SECURITY  MANAGER*  I 


ISACA 

Serving  IT  Governance  Professionals 


News,  Stats  and  Fast  Facts  Edited  by  Michael  Goldberg 


Trouble  Over  the  Rainbow  Tables 


Method  for  cracking  password  encryption  strings  hits  LAN  Manager,  other  targets 


COMMON  PASSWORD  encryption  formats  used  by 
programs  such  as  Microsoft’s  LAN  Manager  have, 
since  the  mid-1990s,  been  vulnerable  to  brute  force 
attacks  like  the  infamous  lOphtcrack.  A  brute  force  attack 
works  by  guessing  entire  passwords  against  dictionaries  of 
known  passwords,  and/or  by  going  through  the  password 
characters  one  at  a  time  until  the  trial  password  combination 
opens  the  virtual  lock. 

However,  simply  testing  one  character  sequence  after 
another  to  try  to  hit  upon  the  password  can  be  quite  time- 
consuming.  Over  the  past  few  years,  a  new  method  ^ — ‘ 

called  rainbow  cracking  has  exponentially  sped  [ 

up  the  process  of  cracking  passwords  encrypted 
with  commonly  used  hashes  (or  algorithms)  such 
as  MD5.  “Rainbow  tables”  contain  strings  of  / 

precomputed  hash  values  covering,  for  example,  / 
every  possible  eight-digit  sequence  of  key-  / 

board  characters.  If  a  hacker  has  the  hashed 

l 

password  value,  he  can  find  that  hashed  value  \ 
in  the  rainbow  table  and  thus  recover  the  asso-  \ 
dated  password.  N. 

Password-cracking  programs  like  these  are  part 
of  any  hacker’s  toolbox.  Cracking  the  passwords  faster 
gives  criminals  more  time  to  invade  and  exploit  the  system 


WHAT  TO  DO 

Prevention  is  the  best  course 
against  rainbow  tables.  That 


■  Protecting  hardware— servers, 
desktops,  wireless  and  other 
network  devices— from  malware 
that  can  be  used  to  copy  and  sniff 
passwords  to  send  out  of  the 
network  for  cracking,  says  Andre 
Protas,  research  engineer  at  eEye 
Digital  Security. 

■  Using  strong  alphanumeric 
passwords  eight  characters  or 
longer  that  are  changed  at  regular 
intervals.  Don’t  use  the  same 


before  the  compromise  is  discovered,  says  Gunter  Ollmann, 
director  of  security  strategy  at  IBM  Internet  Security  Systems. 

A  number  of  hacking  and  security  groups  are  building,  giv¬ 
ing  away  and  selling  these  ready-made 
tables  of  precracked  hash  encryptors. 

The  Shmoo  Group,  a  well-known  group 
of  security  researchers,  released  a  set 
of  rainbow  tables  at  its  annual  Shmoo- 
Con  in  2005.  Hak.5,  Freerainbowtables 

.com  and  others  are  also  dedicating  time  to  making  rainbow 
tables  available.  And  some  companies,  such  as  Rain- 
j  bowTables.net  sell  these  tables  for  password  security 
evaluation  and  help-desk  password  retrieval. 

Experts  say  the  best  defense 


■ 

■ 

^  - 

jWlEfcii 


passwords  for  all  your  users’ 
critical  applications,  says  Gerald 
Carter,  the  release  manager  for 
Samba  3.0,  which  is  a  Linux  version 
of  LAN  Manager. 

■  If  you  use  one  of  the  50  hash 
types  that  provide  salting  (MD5, 
SHA  and  so  on),  make  sure  salting 
is  turned  on,  says  Rodney  Thayer, 
member  of  The  Shmoo  Group, 
a  “white  hat”  hacking  group. 
Windows  versions  do  not  use 
salting,  but  they  do  encrypt  stored 
hashes  if  you  use  the  “SYSKEY” 
tool  to  activate  this  option,  Ollmann 
said.  Salting  also  is  available  for 
recent  versions  of  Samba  for  Linux. 


/  against 

rainbow  tables  is  to 
“salt”  passwords,  which  is  the  prac¬ 
tice  of  appending  a  random  value  to  the  password 

before  it  is  encrypted.  “Salting  thwarts  attacks  based  on 
precalculated  possible  passwords,  since  the  encrypted 
value  is  not  based  solely  on  the  value  of  the  unencrypted 
text,”  Ollmann  adds. 

LAN  Manager  is  doubly  susceptible  to  rainbow  attacks 
because  it  hashes  passwords  into  all  uppercase  letters 
and  then  splits  14-character  strings  into  two  shorter  and 
easier-to-crack  strings  of  seven  characters,  Ollmann  says. 
Affected  systems  include  Windows  NT,  2000,  XP,  Radius 
servers,  Samba  (a  Linux  version  of  LAN  Manager)  and 
other  embedded  systems.  A  Microsoft  spokesman  says 
Windows  Vista  offers  a  feature  called  BitLocker  prevents 
rainbow  crack-type  attacks  by  encrypting  the  entire  oper¬ 
ating  system,  including  the  password  hash. 

-Deb  Radcliff 


ILLUSTRATION  BY  ESTEBAN 


March  2007  www.csoonline.com  11 


PANDEMIC 

CHECKLIST 

BUSINESS  CONTINUITY  The  federal 
government  in  January  issued  a  set  of  pandemic 
preparedness  guidelines  for  companies  that  have  opera¬ 
tions  overseas.  The  four-page  checklist  covers  tasks 
for  business  operations,  needed  resources,  emergency 
communications  and  up-front  planning  to  avoid  creating 
haphazard  business  policies  in  the  heat  of  a  crisis.  As 
the  checklist  for  helping  employees  in  a  pandemic 
illustrates  (at  right),  CSOs  working  with  far-flung  opera¬ 
tions  should  consider  this  exercise  even  if  there  is  not 
an  avian  flu  pandemic.  For  the  rest  of  the  list  see  www 
.pandemicflu.gov. 


AVIAN  INFLUENZA 
CONTROL  MEASURE 

YOU  ARE  ENTERING  A 
PROTECTION  ZONE 


ALL  ENOUIRIES,  DEFR  A  HELPLINE  0845  9335577 
OR 

SUFFOLK  COUNTY  COUNCIL  08456  037814 


*  \  P  -  I  7  V. 

3M  r;‘-  v  , 

’■  *  !i“. ■ 


A  Bird  Flu  Control 
Measure  sign  near 
Halesworth  in 
eastern  England 


Task  to  protect  the  lives  and 
health  of  employees 

Understand  local  and  national  policies  on  quarantines 
and  closings  of  borders,  transportation  facilities,  schools 

Forecast  impact  of  employee  absences  due  to  illness, 
family  member  illness,  mental  health  needs,  quarantines, 
and  closings  of  schools,  businesses  and  public 
transportation 

Ensure  staffing  plans  have  redundancy  to  operate  with 
fewer  employees;  cross-train  workers  to  do  essential 
tasks 

Analyze  labor  laws  to  understand  an  employer’s 
obligations  to  workers 

Include  the  special  health  or  other  needs  of  employees  in 
contingency  plans 

Encourage  annual  flu  vaccines  according  to  local  public 
health  guidelines 

Assess  accessibility  of  health  care,  drugs,  mental  health 
and  social  services  for  employees;  use  organizational 
resources  to  supplement  local  ones 

Review  health  insurance  policies  to  determine  if  coverage 
is  needed  to  mitigate  country-specific  risks  and  effects  of 
a  pandemic 

Assess  potential  availability  of  pandemic  vaccine  and 
antiviral  medicine  in  the  host  country  and  plan  for  their 
distribution 

Determine  if  in-country  medical  services  are  available 


Plan  for  early  evacuations  or  relocations  of  workers 
during  a  pandemic 

Remind  employees  that  normal  supply  lines  may 
be  disrupted;  encourage  them  to  make  personal 
preparations,  by  stockpiling  food  and  medicine 


Not 

Started 

In 

Progress 

Completed 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

ANTICOUNTERFEITING 

Knocking  Down  Knockoffs 

The  Department  of  Homeland  Security  said  seizures  of  counterfeit  goods  rose  by 

83  percent  in  2006,  totaling  an  estimated  $155  million.  The  seizures  included: 

k  77  containers  of  counterfeit  Nike  Air  Jordan  athletic  shoes 

•k  42,900  pieces  of  athletic  merchandise,  including  counterfeit  National  Football  League, 
National  Basketball  Association  and  Major  League  Baseball  jerseys  and  other  apparel 

*  160,000  counterfeit  DVDs,  seized  in  a  joint  operation  with  the  People’s  Republic  of  China 

k  One  container  in  Miami  with  more  than  $1  million  worth  of  counterfeit  athletic 
shoes  and  apparel  packaged  to  look  like  Nike,  Reebok,  Puma,  Umbro,  Adidas 
and  Tommy  Hilfiger  merchandise;  and  designer  merchandise  packaged  to 
look  like  Prada,  Ferragamo,  Louis  Vuitton,  Versace  and  Hugo  Boss  goods 

k  One  container  of  Abercrombie  &  Fitch  clothing 

k  $16  million  worth  of  counterfeit  Zig-Zag  cigarette  papers 

SOURCE:  U.S.  IMMIGRATION  AND  CUSTOMS  ENFORCEMENT,  STATEMENT  JAN.  11,  2007 


12  www.csoonline.com  March  2007 


PHOTO  BY  LUKE  MacGR EGOR/REUTERS 


»  Employees  and  guests  bringing  in  more  than  business?  Protect  your  network  -  and  give 
appropriate  access  -  all  with  Juniper  Networks  Unified  Access  Control  v2.0. 

You  don’t  have  to  replace  your  switching  infrastructure  or  be  locked  into  one  vendor  to 
get  the  security  you  need.  Juniper  UAC  2.0  supports  open  standards  and  provides 
enforcement  using  any  vendor’s  802.1X-enabled  switches  and  access  points,  your  existing 
Juniper  firewalls,  or  both.  And  a  single  UAC  deployment  gives  you  security  for  guests, 
contractors  and  employees  -  cross  platform.  Juniper  makes  any  network  more  secure: 
www.juniper.net/UAC 


Juniper 
00f 


O' Net 


1.888. JUNIPER 


Dinero 

Rapido 

Mexican  bank 
brings  ATM  access 
to  masses  using 
fingerprint  readers 

BIOMETRICS  A  PIN  and  a 

fingerprint:  For  customers  of  Banco 
Azteca,  the  Latin  American  bank  based 
in  Mexico  City,  it’s  all  they  need  to 
conduct  a  transaction. 


That’s  good  news,  considering  that 
many  of  the  bank's  customers  haven’t 
completed  elementary  school  and  don’t 
know  how  to  read.  But  despite  the  fact 
that  75  percent  of  the  bank’s  8  million 
customers  can’t  sign  their  name,  they 
have  been  able  to  open  savings  and 
credit  accounts  for  the  first  time, 
says  Marco  Velasquez,  director  of 
e-banking  for  Banco  Azteca. 

Banco  Azteca  is  using  fingerprint¬ 
reading  biometric  authentication 
sensors  from  DigitalPersona  in  what  the 
players  say  is  one  of  the  largest  biomet¬ 


ric  banking  implementations.  The  bank 
is  using  the  sensors  at  its  banks,  Elektra 
stores  and  corporate  facilities. 

Here’s  how  it  works:  When  someone 
initially  opens  a  debit  or  credit  account 
at  a  Banco  Azteca  branch,  his  identity 
is  verified  through  personal  information 
and  an  official  ID,  such  as  a  license.  An 
image  of  the  left  and  right  index  finger¬ 
print  is  captured,  encrypted,  converted 
to  a  template  and  stored,  along  with 
the  personal  information  and  picture  of 
the  user,  in  a  large  database.  The  PIN, 
picture  and  fingerprint  are  verified  each 
time  the  customer  makes  a  transac¬ 
tion.  Customers  can  also  use  a  Banco 
Azteca  card-a  smart  card  with  a 
microchip  that  stores  the  user’s  picture 
and  fingerprint-to  make  purchases 
at  stores  affiliated  with  Banco  Azteca. 
"The  fingerprint  with  the  BA  Card 
replaces  the  signature  or  the  PIN  that 
we  use  with  credit  cards  or  ATM  cards 
in  North  America  and  Europe,”  says 
Chip  Mesec,  senior  product  marketing 
manager  for  DigitalPersona. 

Paul  Collier,  executive  director  of 


the  nonprofit  Biometric  Foundation, 
says  the  smart  card  with  biometric 
function  has  found  a  comfortable  place 
in  foreign  markets.  Collier  says  it  takes 
three  elements  for  such  an  application 
to  become  mainstream:  user  accep¬ 
tance,  low-cost  sensors  and  ease  of 
integration  with  existing  systems.  The 
security  of  fingerprint  images  converted 
to  binary  code  makes  it  relatively 
secure,  Collier  says:  "It  is  extremely 
difficult  to  reconstruct  that  fingerprint 
image  from  that  template;  it  is  impos¬ 
sible  to  ever  perfectly  recreate  it." 

In  a  country  like  Mexico,  where 
fingerprints  are  used  for  voter  registra¬ 
tion,  biometric  smart  cards  are  readily 
accepted  by  consumers. 

Fingerprints  are  the  most  widely 
used  biometrics,  in  part,  because  the 
readers  are  smaller  than  those  used  for 
biometrics  such  as  iris  and  facial  scans, 
and  they  cost  less,  says  DigitalPerso- 
na’s  Mesec.  Fingerprint  sensors  cost 
about  $100  each,  but  Mesec  says  that 
his  company  sometimes  negotiates 
bulk  rates.  - Katherine  Walsh 


How  to  Train  People  to  Listen  to  Alarms 


The  best  way  to  get  people  to  take 
safety  alarms  seriously  is  to  reduce 
the  number  of  false  alarms.  Here 
are  some  tips  you  can  share  with  HR  and 
building  managers. 

1.  TRAIN  EVERYONE 
WITH  ACCESS  TO  ALARM 
SYSTEMS.  Training 
fgr  should  document  any 
changes  to  the  alarm 
system,  including  access 
code  changes  and  technol¬ 
ogy  additions.  These  employees  need 
to  know  which  doors  are  designated 
entrances  and  exits  and  the  proper  open 
and  close  procedures  for  each  of  them. 
Emphasize  the  importance  of  pre-arm¬ 
ing  checks,  walk-throughs  to  ensure  the 
building  is  secure  before  the  system  is 
armed.  Practice  canceling  accidental 
alarm  activations. 


2.  BE  CAREFUL  AT  HOLIDAY  TIME. 

False  alarms  increase  during  the  holidays 
because  of  parties  and  the  greater  num¬ 
ber  of  temporary  employees  and  visitors 
who  accidentally  set  off  alarms.  Make 
sure  temps  are  aware  of  the  alarm  sys¬ 
tems  and  how  they  work.  Avoid  placing 
decorations  near  alarm  system  motion 
detectors. 

3.  USE  THE  RIGHT  KIND  OF  ALARM 
IN  THE  RIGHT  SPOT.  Chronic  false 
alarms  often  stem  from  the  misapplica¬ 
tion  of  technology.  Motion  detection 
systems  have  modernized  surveillance 
systems,  but  it’s  important  to  invest  in 
motion  detection  that  can  distinguish 
between  harmless  objects  (such  as  birds 
or  wind-borne  debris)  and  prowlers, 
vandals  or  bears.  If  you  can't  afford  that, 
then  place  these  and  other  sensors  care¬ 
fully.  For  example,  floor-mounted  con¬ 


tacts  are  a  bad  fit  for  spaces  with  roll-up 
doors;  use  an  alternative,  such  as  track- 
mounted  contacts  on  both  sides  of  the 
door,  with  the  alarms  placed  at  different 
heights  to  reduce  false  alarms  caused  by 
something  banging  into  the  door. 

4.  CREATE  STANDARD  OPERAT¬ 
ING  PROCEDURES.  SOPs  reduce  false 
alarms  by  limiting  situations  that  could 
set  off  alarms.  Procedures  such  as 
changing  codes,  arming  codes,  cancel¬ 
ing  false  alarms,  detailing  when  and 
how  to  contact  authorities  or  the  alarm 
monitoring  service,  performing  system 
maintenance— all  of  these  should  happen 
the  same  way  every  time.  Ongoing  train¬ 
ing  creates  SOPs.  Consult  the  Security 
Industry  Association  ( www.siaonline.org ) 
for  false  alarm  prevention  standards. 

SOURCE:  "HOW  TO  GET  PEOPLE  TO  TAKE  ALARMS  SERIOUSLY," 
http://CSOONLINE.COM/READ/120105/HT_ALARMS.HTML 


14  www.csoonline.com  March  2007 


PHOTO  BY  iSTOCKPHOTO.COM 


'v 


THE  WORLD'S  FIRST  QUAD-CORE  PROCESSOR  FOR  MAINSTREAM  SERVERS. 

Multiply  your  possibilities  with  the  new  Quad-Core  Intel®  Xeon®  Processor  5300  series.  Delivering  up  to  50% 
more  performance*  within  the  same  power  envelope  than  previous  Xeon  processors,  64-bit  capable  Quad-Core 
Intel  Xeon  Processor  is  the  ultimate  in  powerful,  dense  and  reliable  computing.  Learn  more  at  intel.com/xeon 

'Intel  internal  measurement  using  SPECint_rate_base2000*  comparing  Intel  Xeon  E5345  to  Intel  Xeon  5160.  For  more  information  visit  intel.com/performance.  ©2007  Intel  Corporation.  Intel,  the  Intel  logo,  Intel  Core, 


ince 


Leap  ahead 


MULTIPLY  PROCESSING  PERFORMANCE 
AND  MAXIMIZE  RESPONSIVENESS. 


Frozen  Out 

Champions  of  vulnerability  disclosure  say 
Eric  McCarty’s  guilty  plea  in  a  hacking  case 
illustrates  the  chilling  effect  prosecutors 
are  having  on  people  who  point  out  flaws  in 
online  systems.  McCarty  has  his  say. 

SOFTWARE  SECURITY  Eric  McCarty  personifies  case  law 
in  the  field  of  computer  systems  vulnerability  disclosure.  He  is 
now  preparing  for  six  months  of  home  detention  after  pleading 
guilty  last  year  to  accessing  without  permission  computer  sys¬ 
tems  at  the  University  of  Southern  California.  The  story  goes  like 
this:  McCarty,  25,  hacked  into  the  online  admission  system,  cop¬ 
ied  seven  records  from  the  database  and  mailed 
the  information  under  a  pseudonym  to  a  security 
news  website.  He  blogged  about  the  exploit.  The 
university’s  admission  site  shut  down  for  10  days, 
and  soon  McCarty  faced  charges  for  sharing  data 
without  authority  to  do  so. 

While  McCarty  might  not  be  the  perfect 
poster  child  for  a  debate  about  vulnerability 
disclosures— he  was  a  lone  actor,  not  part  of 
an  academic  or  research  team— his  guilty  plea 
rankles  champions  of  legitimate  vulnerability 
research,  which,  after  all,  can  involve  a  kind  of 
digital  trespassing. 

For  his  part,  McCarty  says  he  was  research¬ 
ing  colleges  in  California  when,  on  the  USC  site, 
he  discovered  a  reasonably  simple  SQU  injec¬ 
tion  flaw.  He  informed  the  university,  which 
he  says  didn’t  do  much  about  it.  So  he  sent  the 
information  anonymously  to  a  security  website.  McCarty  says 
the  exploit  that  got  him  into  trouble  was  one  he  developed 
to  help  prove  to  the  university  that  the  database  was  vulner¬ 
able.  McCarty  maintains  he  had  no  malicious  intent  and  never 
used  any  of  the  records  he  compromised  for  personal  gain.  (The 
university  said  its  database  of  more  than  250,000  records  was  at 
risk,  and  it  sought  McCarty’s  prosecution.) 

As  he  prepares  for  home  detention  (his  sentence  also  calls 
for  three  years’  probation  and  $36,000  in  restitution),  McCarty 
spoke  to  CSO  Senior  Editor  Scott  Berinato  about  his  case. 

CSO:  You  hacked  the  system.  Isn’t  that  all  that  matters? 

MCCARTY:  There  was  never  any  gain  for  me.  Not  finan¬ 
cially.  Not  anything.  It  was  a  very  simple  vulnerability,  easily 
exploitable  for  anyone  with  a  security  background.  My  motiva¬ 
tion  was  to  let  them  know  and  make  sure  they  were  aware  of  it. 
But  when  I  told  them,  they  said  it’s  absolutely  not  true,  and  they 
asked  me  to  show  them.  And  when  I  did,  that’s  what  I  was  con¬ 
victed  for,  the  seven  records  I  took  because  they  wanted  proof  it 


could  be  done. 

Prosecutors  called  you  a  “glory  hacker”  and  made  special 
note  of  your  bragging.  The  e-mail  address  you  used  to  dis¬ 
close  the  vulnerability  was  “ihackedusc,”  and  you  posted  on 
your  blog:  “USC  Got  Hacked,  I  was  involved,  I’m  sorry,  my 
bad,  so  all  the  hot  USC  girls,  I  got  your  phone  number  ladies, 
if  your  name  is  Amanda,  Allison,  Amy  or  Anita,  expect  a  call 
any  day  now.”  How  do  you  explain  this? 

The  e-mail  address  simply  was  chosen  to  get  the  atten¬ 
tion  of  the  recipients.  Most  people  get  tons  of  e-mail  every  day, 
and  I  wanted  to  make  sure  the  e-mail  wasn’t  lost  in  the  fray. 
'ihackedusc@gmail”  is  much  more  attention  grabbing  than 
‘my_name@gmail.”  As  for  the  blog  posting,  I  have  openly  admit¬ 
ted  this  was  simply  an  immature  act  on  my  part,  nothing  more. 
Before  the  media  became  involved  I  think  my  blog  got  five  hits  a 
month,  hardly  a  great  avenue  for  bragging. 

Why  plead  guilty  if  you’re  not? 

One  of  the  things  people  don’t  recognize 
is  the  cost  to  defend  against  these  charges. 
You’re  around  $50,000  just  to  get  to  trial. 
That  was  a  make-or-break  issue.  I  didn’t  have 
that  cash  floating  around.  That’s  how  the  plea 
agreement  became  more  appetizing.  It  ended 
up  being  the  lesser  of  two  evils. 

So  if  you  had  more  resources,  you’re 
saying  you  would  have  fought  this? 
Absolutely.  I  would  have  fought  this. 

What  do  you  think  your  case  means  for 
vulnerability  research  on  the  Web? 

The  Internet  is  full  of  sites  that  have  the 
same  problems  as  USC’s  had. 
But  I  have  a  feeling  people  aren’t 
going  to  come  forward  as  a 
result  of  cases  like  this.  Finding 
and  reporting  vulnerabilities  is 
not  new.  What’s  new  is  proving 
malicious  intent  is  no  longer 
necessary  for  prosecution. 

So  researchers  will  be  scared  from  disclosing  flaws  on 
websites? 

When  you  look  at  the  disclosure  [it’s  clear  that]  people  now 
just  analyze  third-party  open-source  software.  And  people 
look  at  software  packages,  operating  systems.  Which  is  great.  I 
believe  in  auditing.  What  you’re  not  seeing  is  Web  application 
flaws  being  found  and  published,  even  though  the  Internet 
is  arguably  more  of  a  low-hanging  fruit  than  client  software. 
People  who  should  be  looking  at  websites  aren’t  going  to  because 
they  face  prosecution.  So  who  does  that  leave?  We  need  to  take 
a  long,  hard  look  at  people  who  are  going  to  be  finding  Web 
vulnerabilities  if  it’s  not  going  to  be  security  researchers.  The 
climate  isn’t  going  to  get  better.  No  justice  came  out  of  this  case. 
No  good  will  come  out  of  it.  ■ 


16  www.csoonline.com  March  2007 


PHOTO  BY  CORBIS 


SPECIAL  ADVERTISING  SUPPLEMENT 


/.,3k" 


_ — -  _ ... 

7  -  }  .  ■  r  ■  •  ,■  ;•  " 

s  fe$  h 

■*  -t'.‘  - .  .•. 

Y--^J  •  t-i 


>  c'v  V.  •  SB  S\.  '  T-  •  ’V 

l  ■/ 

»  1  (;!  P®  f  S:^S!:W^»  A<- 

F^f""v..  /  ?•••”  f  \  >  :. 


n  today's  global  arena  ,  many  companies  are  vital  components  of  a  nation's  "criti¬ 
cal  infrastructure."  Countries  and  companies  must  collaborate  now,  more  than  ever,  to  protect  the  serv¬ 
ices  essential  to  a  nation.  Threats  to  a  company's  information  systems  and  assets  could  come  from  any¬ 
where.  "Whether  the  incident  comes  as  a  direct  physical  attack  or  an  electronic  one,"  says  John  N. 
Stewart,  VP  and  CSO  of  Cisco,  "the  nature  of  these  events  is  essentially  borderless."  No  single  company 
could  possibly  possess  all  of  the  intelligence,  expertise  and  resources  needed  to  combat  threats  origi¬ 
nating  from  such  a  plethora  of 
fronts.  So  where  does  a  company 
turn  for  help  to  acquire  the  neces¬ 
sary  information,  develop  policies 
and  strategies,  and  coordinate 
operational  responses  to  an 
attack? 

::  Seeking  out  complementary 
core  competencies 

In  response  to  escalating  world¬ 
wide  threats,  companies  in  the 
United  States  and  across  the 
globe  have  begun  developing 
close  partnerships  with  their  gov¬ 
ernment  counterparts  to  enhance  infrastructure  security.  These  public-private  partnerships  enable  both 
parties  to  exchange  vital  information,  resources  and  expertise,  create  risk  management  plans  and  con¬ 
duct  response  drills  to  ensure  readiness  against  potential  threats. 


Protecting 

Critical 

Infrastructure 


"Government  agencies  possess 

Why  public-private 
partnerships  are 
essential  to  your 
company's  security 


unique  core  competencies  that  complement  private-sector  strengths," 
explains  Ken  Watson,  manager  of  the  Critical  Infrastructure 
Assurance  Group  for  Cisco.  "Intelligence  services  and  first  respon¬ 
ders  —  including  emergency  medical  technicians,  firefighters  and 
law  enforcement  officials  —  are  the  unique  responsibility  of  govern¬ 
ments."  Furthermore,  governments  have  a  broad  cross-sector  per¬ 
spective,  enabling  them  to  consider  interdependencies  across  mul¬ 
tiple  industries  and  public  entities  that  would  not  normally  be  part 
of  a  single  company's  risk  planning.  These  might  include  everything 
from  power  and  water  to  transportation  and  financial  services. 


CSO 

Custom  Solutions  Group 


.  1 1 1  •  1 1 1 1 

CISCO 


SPECIAL  ADVERTISING  SUPPLEMENT 


In  the  United  States  and  elsewhere,  where  much  of  a 
nation's  critical  infrastructure  might  be  in  the  hands  of 
the  private  sector,  working  collaboratively  provides 
companies  and  government  entities  a  practical  solu¬ 
tion  for  understanding  and  protecting  the  interdepen¬ 
dencies  that  are  not  only  vital  to  a  nation's  security 
but  also  to  the  health  and  well-being  of  its  citizens. 

::  Tips  on  managing  public-private  partnerships 

While  Stewart  acknowledges  that  public-private  rela¬ 
tionships  are  complex,  he  reasons,  "You  have  to 
invest  the  time  and  energy  in  building  trust  before 
things  go  askew,  so  that  when  you  have  to  work 
through  a  crisis  or  a  disaster,  you  already  have  rela¬ 
tionships  that  are  strong  and  responsive."  So  how 
does  one  nurture  public-private  partnerships  while 
protecting  trade  secrets  and  vulnerabilities  from  com¬ 
petitors  and  destructive  outside  forces? 

Meet  your  public-sector  counterparts  face  to  face. 

It's  easier  to  build  trust  sitting  down  over  a  cup  of  cof¬ 
fee  than  anonymously  through  e-mails. 

Attend  government  forums  and  briefings.  The  U.S. 
Secret  Service  and  Federal  Bureau  of  Investigation, 
Interpol  in  the  United  Kingdom,  India's  Special 
Services  Unit  and  other  law  enforcement  organiza¬ 
tions  around  the  globe  offer  forums  for  companies  of 
every  size  and  sector.  Also,  organizations  focused  on 
intelligence  or  special  missions,  like  the  U.S. 
Department  of  Homeland  Security,  hold  forums  and 
meetings  in  their  areas  of  specialty.  This  is  a  way  to 
reach  out  and  learn  not  only  what  government  agen¬ 
cies  can  do  but  what  capabilities  reside  in  companies 
within  your  sector. 

•  Get  involved  in  legislative  reform.  If  your  compa¬ 
ny  is  going  to  be  subject  to  local,  provincial,  state  or 
federal  laws  that  affect  your  company  or  sector,  it's 
important  to  understand  how  those  regulations  and 
legislation  are  evolving.  You  want  to  educate  law¬ 
makers  to  the  best  of  your  ability,  so  that  any  new 
provisions  they  create  don't  result  in  unintended 
consequences  for  you  or  your  industry. 

•  Maintain  information  security  contacts  in  all  the 
countries  in  which  you  operate.  Assign  someone  in 
each  of  your  facilities  to  develop  a  trusted  list  of  first 
responders  they  would  contact  in  an  emergency.  And 
make  sure  they  keep  the  lists  current.  Once  an  inci¬ 
dent  occurs,  it's  too  late  to  make  random  phone  calls 
to  generic  numbers  and  try  to  build  trusted  relation- 


While  the  number  of  sectors  that  have  ISACs 
continues  to  expand  to  address  growing  threats 
to  physical  and  cyber  security,  currently  the  list 
includes  councils  for  critical  infrastructure  in: 

::  Communications 

(www.ncs.gov/ncc/main.html) 

::  Electricity  (www.esisac.com) 

::  Emergency  management  response 

(www.usfa.dhs.gov/emr-isac) 

::  Financial  services  (www.fsisac.com) 

::  Highway  (www.highwayisac.com) 

::  Information  technology  (www.it-isac.org) 

::  Multi-state  (www.msisac.org) 

::  Public  transit 

(www.surfacetransportationisac.org/SPTA.asp) 

::  Surface  transportation 

(www.surfacetransportationisac.org) 

::  Supply  chain 

(www.secure.sc-investigation.net/SC-ISAC) 

::  Water  (www.waterisac.org). 

Membership  provides  you  with  a  community  of 
trusted  colleagues — legally  bound  to  protect 
the  information  you  exchange — who  can  help 
you  in  a  crisis. 


ships  on  the  fly.  When  you're  in  the  middle  of  a  crisis, 
you  don't  have  the  luxury  of  time  to  educate  an 
anonymous  responder  on  your  company  and  what 
support  it  needs. 

•  Participate  in  your  industry  ISAC  (Information 
Sharing  and  Analysis  Center)  or  its  equivalent  (see 
www.lsaccouncil.org).  These  centers  represent  a 
trusted  community  of  security  specialists  from  com¬ 
panies  across  a  single  industry  sector  dedicated  to 
protecting  their  infrastructures  by  identifying  and 
sharing  best  practices  to  quickly  and  properly 
address  vulnerabilities.  As  appropriate,  they  share 
information  and  interact  with  government  agencies 
that  can  enhance  their  and  other  sectors'  readiness 
in  a  threat. 

•  Join  FIRST  (Forum  for  Incident  Response  and 
Security  Team,  www.first.org).  This  organization 
provides  trusted  peer  relationships  with  incident 
response  teams  from  other  companies  and  govern¬ 
ments.  FIRST  allows  you  to  share  incidents  one-on- 


SPECIAL  ADVERTISING  SUPPLEMENT 


"Public-private  partnerships  aren't  about  improving  profits  fora  company. 
They're  about  defending  corporate  and  government  networks. " 

Ken  Watson,  Manager,  Critical  Infrastructure  Assurance  Group,  Cisco 


one  with  other  teams  while  protecting  sensitive 
information  about  those  incidents.  There  have  been 
numerous  times  where  one  company's  incident 
response  team  traced  the  origin  of  an  incident 
affecting  its  networks  to  another  company's  region 
and  successfully  coordinated  its  investigation  and 
resolution.  FIRST  also  provides  smaller  companies 
that  have  fewer  security  resources  broader  access  to 
information  on  hot  security  topics.  And  like  an  ISAC, 
membership  provides  you  with  a  wider  community 
of  trusted  colleagues  who  can  help  you  in  a  crisis. 

::  Barriers  to  information  sharing 

As  any  corporate  lawyer  will  tell  you,  be  careful  whom 
you  trust.  While  it  might  be  beneficial  to  share  certain 
security  information  with  the  government,  it  is  wise  to 
have  a  protection  policy  in  place  that  guards  the  sensi¬ 
tivity  of  the  information  you  exchange.  In  the  United 
States,  for  instance,  the  government  can  deem  infor¬ 
mation  classified.  But  the  Freedom  of  Information  Act 
can  potentially  undermine  the  best  intentions  of  gov¬ 
ernment  agencies  to  protect  your  vulnerabilities  from 
public  release,  which  may  include  distribution  to  those 
that  can  harm  your  information  systems  or  assets. 

John  Stewart  of  Cisco  offers  some  suggestions: 

•  Before  you  exchange  any  information,  under¬ 
stand  the  context  in  which  it  will  be  made  public. 

For  example,  an  incident-based  matter  within  your 
company  might  be  held  to  the  highest  level  of  pri¬ 
vacy  by  law  enforcement.  But  if  the  information 
involves  a  publicly  regulated  facility,  it  might  auto¬ 
matically  fall  under  public  disclosure  laws. 

•  Interact  with  government  officials  in  relation  to  the 
area  of  the  government  where  they  work  and  the 
outcome  you  expect.  For  instance,  you  might  share 
a  generic  solution  to  a  security  problem,  knowing 
that  the  information  will  be  made  public.  But  if  you 
share  an  incident  that  occurred  in  your  company  to 
gain  insight  on  how  government  can  use  that  kind  of 
information  in  the  future,  be  prepared  to  answer 
questions  regarding  your  disclosure.  Work  with  your 
company's  legal  counsel  to  determine  the  correct 
course  of  action. 

•  Remaining  silent  carries  its  own  risks.  While  individ¬ 


ual  companies  have  tended  to  keep  their  concerns 
to  themselves,  those  looking  to  exploit  critical  vul¬ 
nerabilities  are  collaborating  aggressively  on  the 
best  ways  to  use  technology  against  us.  To  level  the 
playing  field,  industry  and  government  must  learn 
to  work  together  to  protect  not  only  themselves  but 
each  other,  which  may  involve  trusting  one  another. 

::  The  value  of  public-private  partnerships 

If  your  company  provides  goods  and  services  to  the 
private  sector,  you  can  gain  unique  insight  into  how 
your  customers  actually  use  your  products  in  a  crisis 
and  then  redesign  them  accordingly.  But  in  general, 
"public-private  partnerships  aren't  about  improving 
profits  for  a  company,"  Ken  Watson  points  out. 
"They're  about  defending  corporate  networks  and 
nations,  states  or  other  legal  jurisdictions.  The  value 
for  companies  in  public-private  partnerships  is  that 
they  gain  the  additional  knowledge  they  need  to  pro¬ 
tect  themselves  that  they  wouldn't  otherwise  have, 
and  they  gain  an  appreciation  of  their  government 
partner's  concerns  about  how  to  protect  itself." 
Watson  identifies  three  levels  of  public-private  part¬ 
nerships,  each  with  its  own  intangible  benefits:  policy 
and  strategy,  operational,  and  technical. 

At  the  policy  and  strategy  level,  he  points  to  the  PCIS 
(Partnership  for  Critical  Infrastructure  Security)  one  of 
the  first  cross-sector  coordinating  councils  created  at 
the  request  of  a  federal  agency  that  brought  together 
owners  and  operators  of  critical  infrastructure  to 
address  such  fundamental  issues  as: 

•  How  to  share  information  among  sectors 

•  Whether  the  products  and  services  available  were 
sufficiently  secure  to  protect  critical 
infrastructure 

•  Whether  enough  money  was  being  spent  on 
research  and  development  of  security  tools 

•  How  interdependencies  among  sectors  affect 
responses  to  emergencies 

•  Whether  government  has  the  right  call  lists  and 
points  of  contact  across  infrastructures  to  provide  a 
coordinated  response  to  physical  or  cyber  threats 

As  a  result  of  its  initial  meetings,  PCIS  divided  into 
working  groups  to  address  issues  in  research  and 
development,  information  sharing,  public  policy  and 


*  *  3  *  * 


SPECIAL  ADVERTISING  SUPPLEMENT 


\  V 


r// 


internal  governance.  Originally  a  U.S.  initiative,  the 
concept  is  quickly  going  global,  with  interest  and  some 
collaboration  among  organizations  around  the  world. 

At  the  operational  level  are  the  ISACs.  These  infor¬ 
mation-sharing  and  analysis  centers  provide  valuable 
frameworks  for  interaction  among  industry  sectors 
and  the  government  to  advance  the  physical  and 
cyber  security  of  critical  infrastructure.  The  ISACs 
constantly  gather  reliable  and  timely  information 
from  members,  commercial  security  firms,  govern¬ 
ment  agencies,  law  enforcement  and  other  trusted 
sources,  and  disseminate  reports  and  notifications  on 
electronic  incidents,  threats,  attacks,  vulnerabilities, 
solutions,  countermeasures,  security  best  practices 
and  other  protective  measures.  ISACs  provide  mech¬ 


anisms  for  systematic  and  protected  exchange  and 
coordination  of  this  information,  as  well  as  thought 
leadership  to  policymakers  on  critical  infrastructure 
security  and  information-sharing  issues. 

At  the  technical  level,  there  are  various  organizations 
like  the  Network  Reliability  and  Interoperability 
Council  (NRIC),  which  develops  standards  and  best 
practices  in  the  telecommunications  industry. 

Cisco's  Stewart  says  that  ultimately,  public-private 
partnerships  are  all  about  anticipating  crises  and 
preparing  for  them.  "Public-private  partnerships  will 
cost  you  less  than  if  you  make  it  up  on  the  fly  and,  in 
fact,  may  save  you  in  the  end  from  doing  irreparable 
harm."  :: 


The  value  of  readiness  drills  with  public  partners 

The  lessons  learned  from  Cyber  Storm 


In  February  2006,  the  U.S.  Department  of  Homeland 
Security  staged  a  government-led  cyber-security  exer¬ 
cise,  called  Cyber  Storm,  to  test  the  defenses  of  govern¬ 
ment  agencies  and  leading  private-sector  organizations. 
More  than  115  organizations  in  the  United  States, 
Canada,  Britain,  Australia  and  New  Zealand  participated 
in  this  groundbreaking  exercise  to  test  a  national 
response  system  that  could  be  implemented  across  all 
industry  and  government  sectors.  The  exercise  not  only 
dealt  with  mock  attacks  by  hackers,  but  also  simulated 
how  to  deal  with  bloggers  who  were  intentionally 
spreading  misleading  information  about  the  attacks. 
Experts  depicted  hackers  who  shut  down  electricity  in 
10  states,  failures  in  vital  systems  for  online  banking  and 
retail  sales,  infected  discs  mistakenly  distributed  by 
commercial  software  companies,  and  critical  flaws  dis¬ 
covered  in  core  Internet  technology.  While  it  remains  to 
be  seen  to  what  extent  the  exercise  will  help  to  mitigate 
the  potential  harm  from  future  cyber  attacks,  Scott 
Algeier,  executive  director  of  the  IT-ISAC,  says  that  the 
simulation  was  invaluable  in  helping  his  organization 
learn  what  it  needed  to  do  to  improve  its  response  to  a 
real  attack. 

According  to  Algeier,  foremost  was  the  need  to  increase 
the  collaborative  analysis  capability  within  IT-ISAC  mem¬ 
bership.  During  Cyber  Storm,  the  organization's  con¬ 
tracted  operations  center  was  quickly  overwhelmed 
with  incoming  information  and  requests  for  critical 
updates  from  participants.  "It  was  often  very  difficult  for 


the  center's  staff  to  separate  the  urgent  from  the  impor¬ 
tant,"  explains  Algeier.  "As  a  result,  IT-ISAC  has  decided 
that  we  will  be  getting  our  members  engaged  earlier  in 
the  response  process  to  provide  technical  expertise  and 
analysis." 

IT-ISAC  leaders  emerged  from  the  exercise  with  a  few 
other  important  lessons.  In  working  with  the  federal 
agency  responsible  for  the  government's  cyber  net¬ 
works,  they  learned  that  it  was  crucial  to  work  jointly  on 
each  other's  concept-of-operations  documents.  In  this 
way,  they  were  able  to  familiarize  themselves  with  each 
other's  processes  and  ensure  more  streamlined  infor¬ 
mation  sharing.  IT-ISAC  also  agreed  to  develop  a  24x7 
contact  list  within  its  member  companies  for  the 
Department  of  Homeland  Security  to  tap  in  case  of  an 
emergency. 

But  perhaps  one  of  the  most  interesting  findings  from 
Cyber  Storm  was  the  reluctance  of  law  enforcement 
and  intelligence  communities  to  approach  experts  in 
the  private  sector  for  help  in  analyzing  sensitive  or  clas¬ 
sified  information,  despite  the  fact  that  these  individu¬ 
als  held  the  necessary  security  clearances.  According  to 
Algeier,  the  cyber-security  exercise  revealed  two  prob¬ 
lematic  areas.  "First,  the  government  needs  to  be  bet¬ 
ter  informed  about  the  analytical  skills  and  security  cre¬ 
dentials  held  by  ISAC  members.  And  second,  we  need 
to  continue  to  push  to  change  the  culture  from  one  of 
holding  information  to  one  of  needing  to  share." 


•  *  4  •  • 


"opics  to  include: 

•  Structuring  a  Business  Continuity 
Plan:  Treatment  to  Prevention 

•  Legal  Requirements 

•  The  Looming  Threats: 

Terrorism  to  Pandemic 

•  Selling  the  Plan 

•  Business  Resiliency  in  the 
Supply  Chain 

•  Personnel  Training  &  Exercises 

•  Outsourcing/Insourcing 

•  Succession  Planning 

•  Crisis  Case  Studies 

•  Original  Research:  Best  Practices  in 
Business  Continuity 

•  Technology  Breakouts 


The  Three  Key  Pillars  of  Resiliency: 

CIO  &  CSO  Business  Continuity  Forum  2007...  Building 
the  Resilient  Enterprise  will  provide  attendees  with  the  key 
strategic  and  tactical  skills  necessary  to  address  the  issues 
of  continuity,  recovery  and  resiliency  in  their  enterprises. 
Attendees  will  walk  away  with  the  knowledge  of  how  to 
enable  enterprise  resiliency  within  their  organizations. 

If  you  are  a  CIO,  CSO,  CTO  or  other  business  technology 
executive  you  won’t  want  to  miss  this  program!  Visit 
www.cio.com/bc_2007  or  call  800.366.0246  for  additional 
program  information. 

Underwriters: 


ProCurve  Networking 

HP  Innovation 


SUNGARD  ISfisHL 

Availability  Services  CV»mrrr«/. 


Platinum  Sponsors: 


Presented  by: 


Business 

Technology 

Leadership 


CSO 


The  Resource  for 
Security  Executives 


AVAyA 


INTELLIGENT  COMMUNICATIONS 


Gold  Sponsor: 


EMC2 

where  information  lives’ 


UNISYS 

imagine  it.  done. 


Differences  You 
Can  Bank  On 

Observations  from  a  multicontinental  banking 
customer  By  Paul  Raines 

I  MAY  BE  LIVING  in  Europe  now,  but  I  still  keep  a  practiced  eye 
on  the  news  coming  out  of  the  States.  Last  fall,  between  Britney’s 
divorce  and  the  midterm  elections,  I  couldn’t  help  but  notice  a  little 
newsbyte  that  several  American  online  trading  companies  had  been 
hacked.  Yikes!  Luckily,  when  I  logged  on  to  my  accounts  held  with 
U.S.  financial  institutions,  I  found  that  my  balances  had  not  mysteriously  van¬ 
ished  down  a  cyberdrain,  but  the  episode  did  give  me  pause.  The  fact  is,  I’ve 
found  stark  differences  in  the  practices  at  my  American  and  European  banks, 
and  all  evidence  points  to  Europe  being  much  more  security-conscious. 

I  first  noticed  this  with  the  different  pass¬ 
word  requirements  by  American  and  British 
subsidiaries  of  the  same  bank.  When  I  lived 
in  the  United  States,  this  bank— which  shall 
remain  unnamed— allowed  me  to  establish 
any  eight-character  password  for  online 
banking.  If  I  wanted,  I  could  use  my  cat’s 
nickname  as  my  password. 

However,  when  I  later  did  business  with 
the  bank’s  subsidiary  in  the  United  King¬ 
dom,  the  password  was  chosen  for  me  and 
sent  to  my  home  address.  This  password 
was  also  eight  characters  long,  but  it  was  an 
incomprehensible  amalgam  of  special  char¬ 
acters,  numbers  and  letters  in  both  upper- 
and  lowercase.  The  result,  of  course,  is  that 
I  knew  I  would  never  remember  it.  I  tore  out 
the  password  and  tucked  it  inside  my  wal¬ 
let.  Yes,  Mother,  I  know  I’m  not  supposed 
to  do  that.  But  let’s  be  honest.  If  given  the 
choice  between  doing  this  and  forgetting  the  difficult 
password,  calling  the  help  desk,  being  put  on  hold  for  30 
minutes,  and  then  requesting  a  new  password  only  to  be  told 
that  you’ll  receive  it  in  five  working  days,  which  would  you 
choose?  Besides,  isn’t  a  strong  password  tucked  in  my  wallet 
better  than  the  password  “kitty”? 

Anyway,  I  happened  to  be  friends  with  the  global  head  of  information  secu¬ 
rity  at  this  bank,  so  I  rang  him  up  to  ask  about  the  difference.  He  explained 
that  the  bank’s  American  and  British  subsidiaries  are  run  under  the  philoso¬ 
phy  of  “each  tub  on  its  own  bottom.”  They  made  and  implemented  their  own 
security  models  for  online  banking  based  upon  the  “cultural  and  regulatory 


differences”  in  the  regions.  It  seems  the  American  sub¬ 
sidiary  is  more  attuned  to  customer  friendliness,  while 
the  U.K.  subsidiary  is  more  attuned  to  security. 

Another  big  difference  is  in  the  use  of  stored-value 
cards.  Here,  I  bank  with  an  internationally  known 
Dutch  bank.  When  I  first  set  up  my  account,  I  was 
given  a  smart  card  that  functions  the  same  as  a  debit 
card  in  the  States  but  with  added  functionality:  A 
chip  on  the  smart  card  can  be  used  to  store  electronic 
money.  The  idea  is  that  you  can  transfer  funds  from 
your  checking  account  to  the  chip,  then  use  that  money 
for  small  transactions  such  as  paying  for  parking,  pur¬ 
chasing  train  tickets  and  making  incidental  purchases 
at  stores.  The  advantage  from  a  security  standpoint  is 
that  the  parking  meter,  ticket  machine  or  what  have 
you  doesn’t  have  to  authenticate  you  back  to  the  bank; 
it’s  enough  that  you’re  holding  the  card.  The  disadvan¬ 
tage  is  that  if  you  lose  the  card,  you  also  lose  the  stored 
money— but  I  solve  that  by  not  keeping  more  than  20 
euros  on  the  card. 

As  an  added  benefit,  the  smart  card  provides 
greater  security  for  online  banking.  When  I 
got  the  smart  card,  the  bank  also  issued  me 
a  portable  smart-card  reader.  Here’s  how 
it  works:  When  I  log  on,  I  enter  the  smart- 
card  number  into  the  bank’s  website  and 
am  prompted  to  insert  my  card  and  type 
my  PIN  into  the  reader.  The  webpage  pro¬ 
vides  me  with  a  number  that  I  input  into 
the  reader.  The  smart-card  reader  comes 
back  with  another  number,  which  I  then 
type  into  the  webpage  to  be  authenticated. 
It  sounds  complicated,  but  the  entire  pro¬ 
cess  takes  less  than  30  seconds.  The  only 
drawback  is  that  I  need  to  be  in  possession 
of  the  smart-card  reader  (and  the  smart 
card)  in  order  to  perform  online  banking. 
But  then,  so  would  a  crook. 

So  why  don’t  American  banks  do  this? 
It  all  boils  down  to  economics,  really. 
Smart  cards  are  widely  employed  through¬ 
out  Europe  and  thus  the  infrastructure  for  them 
already  exists.  Americans,  by  contrast,  still  rely 
primarily  on  magnetic  stripe  cards,  and  the 
infrastructure  is  geared  toward  this  technology. 

Smart  cards  would  be  much  more  expensive 
to  deploy  than  a  magnetic  stripe  card.  Once  again, 
Americans  tend  to  view  any  losses  due  to  security  as 
simply  the  price  of  doing  business.  ■ 


Paul  Raines  is  CISO  of  a  nonprofit  group  in  The  Hague,  Netherlands. 
Send  feedback  to  Senior  Editor  Sarah  D.  Scalet  at  sscalet@cxo.com. 


18  www.csoonline.com  March  2007 


ILLUSTRATION  BY  JOHN  WEBER 


Trust  is  being  objective  and  doing  what’s  right. 

Trust  is  fulfilling  promises  made  to  our  clients. 

We’re  more  than  a  vendor.  We  ’re  a  true  security  partner. 


LURHQ  and  SecureWorks  have  merged  to  become  the  most  effective  managed  security  services  provider. 
Get  more  info  at:  http//www.secureworks.com  I  877.905.6661  I  info@secureworks.com 

Security  Device  Management  I  Enterprise  Security  Monitoring  I  Security  Information  and  Event  Management 
Vulnerability  Scanning  I  Threat  Intelligence  I  Professional  Services  I  E-mail  Encryption 


Say,  Can  You  See? 

Visualization  tools  can  help  ferret  out  security 
problems,  but  the  technology  has  a  long  way  to  go 

By  Simson  Garfinkel 

INFORMATION  SECURITY  PRACTITIONERS  are  over¬ 
loaded  with  information.  There  is  network  information,  like  reports 
of  scans,  viruses,  worms  and  spam  blasts.  There  are  reports  from  host 
and  authentication  systems— users  who  haven’t  changed  their  pass¬ 
words  and  should  have,  users  who  have  been  locked  out  and  users  who 
are  just  plain  suspicious.  There  are  the  reports  from  deployment  and  patch 
management  systems.  These  days  we  even  need  to  be  concerned 
about  backup  systems— are  they  backing  up  the  data, 
and  is  that  backup  data  encrypted? 

One  of  the  most  basic  ways  to  help  people 
deal  with  information  overload  is  to  visual¬ 
ize  it— that  is,  to  draw  it  out  as  a  graph,  plot 
it  on  a  map  or  use  the  data  to  make  some 
kind  of  diagram.  Unfortunately,  many  of 
the  “visualizations”  provided  by  today’s 
security  tools  and  vendors  are  little  more 
than  bar  graphs  and  pie  charts  of  informa¬ 
tion  that’s  easy  to  gather  but  meaningless 
to  analyze. 

For  example,  one  visualization  that’s 
popular  with  antispam  vendors  is  a  map 
of  the  world  with  pie-charts  or  color-coded 
countries  that  show  the  amount  of  spam 
that  each  part  of  the  world  is  producing.  The 
United  States  is  red,  because  most  of  today’s 
spam  comes  from  computers  that  have  been 
compromised  and  signed  up  for  hacker  botnets. 

Europe,  Brazil  and  China  come  next.  Africa  is 

in  last  place— not  because  the  Africans  are  masters  of  computer  security,  but 
because  the  continent  doesn’t  have  a  lot  of  computers  or  contnectivity.  Yes, 
this  information  is  mildly  interesting.  But  it’s  positively  worthless  when  it 
comes  to  formulating  an  antispam  strategy.  What’s  a  CSO  to  do— block  all  the 
e-mail  that’s  coming  from  the  United  States? 

Simple  management  charts  and  graphs  might  make  passable  eye  candy 
for  the  boardroom  or  an  annual  report,  but  they  don’t  work  well  for  security 
management  because  they  don’t  give  security  professionals  more  insight  into 
their  problems.  For  planning  purposes  it  matters  little  how  much  spam  is 
coming  from  Russia. 

More  Practical  Applications 

Turning  collected  data  into  information  that  can  drive  a  visualization  is  hard 
work:  It’s  much  easier  to  collect  data  than  it  is  to  analyze  it.  Spam  vendors 


sometimes  graph  how  the  amount  of  spam  changes 
from  week  to  week.  But  what’s  more  important  is 
how  the  amount  of  spam  is  changing  in  relation¬ 
ship  to  another  variable— for  example,  the  amount 
of  legitimate  e-mail  that’s  being  delivered.  Another 
important  metric  is  how  much  spam  is  delaying  the 
delivery  of  legitimate  mail,  and  how  much  spam  is 
costing  an  enterprise  in  terms  of  computational  and 
human  resources.  A  graph  that  shows  the  utilization 
of  an  organization’s  spam-processing  appliances  can 
be  used  to  predict  when  it’s  going  to  be  necessary  to 
purchase  new  equipment. 

But  visualization  can  be  used  for  far  more  than 
capacity  planning.  Properly  presented,  visualizations 
should  be  able  to  help  organizations  find  security 
threats  and  incidents  that  they  might  otherwise  miss. 

There’s  some  promising  work 
popping  up  here  and  there, 
for  example,  in  security 
event/information  man¬ 
agement  packages.  But 
overall,  sadly,  today  much 
of  the  best  visualization 
technology  remains  in 
research  labs  and  on  ven¬ 
dor  shelves. 

Visualization  has  long 
been  a  powerful  tool  for 
network  and  computer 
management.  Displaying 
network  bandwidth  or  CPU 
utilization  on  a  strip  chart 
allows  administrators  to  see 
the  systems’  status,  trends 
and  sudden  divergences  from 
established  norms.  Adminis¬ 
trators  soon  learn  that  specific 
patterns  on  their  screens  correlate  with 
specific  problems  they  need  to  address.  Essentially, 
the  visualization  becomes  a  high-speed  interface  that 
allows  the  human  brain  and  the  computer  system  to 
work  together  on  a  complicated  problem. 

This  visual  brain/machine  symbiosis  takes  advan¬ 
tage  of  the  computer’s  ability  to  process  large  amounts 
of  numeric  data  and  the  brain’s  ability  to  find  mean¬ 
ing  in  otherwise  chaotic  patterns.  The  human  visual 
cortex  has  been  tuned  for  rapidly  making  sense  out  of 
the  jumble  of  information.  A  good  visualization  takes 
neurons  that  evolved  over  the  eons  to  detect  leopards 
moving  through  the  veld  and  uses  them  for  finding 
a  router  that’s  crashed  or  a  RAID  array  that’s  lost  a 
spindle.  Although  it  may  take  a  little  training  to  learn 


20  www.csoonline.com  March  2007 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


.INFRASTRUCTURE  LOG 

_DAY  27:  These  compliance  regulations  are  killing  us! 
Audits.  Inconsistencies.  Processes.  Time.  Money. 

I  feel  like  l’m  being  chased  by  regulators. 

_0h,  wait.  I  am  being  chased  by  regulators.  Run!!!!! 

_DAY  28:  I’ve  got  it:  IBM  Tivoli  middleware.  It  automates 
system  administration  to  standardize  compliance 
policies.  It  centralizes  processes  to  minimize  the 
headaches  of  new  and  ever-changing  regulations. 

And  it  helps  pinpoint  security  issues  before  they 
become  problems  and  maintains  business  integrity. 

_Gil  is  bummed  we  had  to  ditch  the  high-carb  diet. 


/ 


Better  manage  the  business  of  1.1  at: 

.COM/TAKEBACKCONTROL/COMPLIANCE 


.  _> 

IBM,  tlge  IBM  logo  and  Tivotr  are 
All  rights  reserved. 

>  ;  /  .  .  ,  : 


Machines  Corporation  in  the  United  States  and/or  other  countries,  ©2006  IBM  Corporation 


the  correlation  between  patterns  and 
problems,  it  doesn’t  take  much. 

But  while  high-quality  visualizations 
have  become  an  important  part  of  net¬ 
work  management,  visualizations  of  this 
type  have  had  little  impact  on  the  practice 
of  network  security— or  any  other  kind  of 
computer  security,  for  that  matter.  There 
has  been  some  academic  work  in  recent 
years  aimed  at  developing  visualization 
techniques  for  detecting  hostile  network 
scans  or  other  abnormal  behavior. 

Ben  Schneiderman,  a  professor  at 
University  of  Maryland  who  has  been 
researching  data  visualization  for  more 
than  20  years,  is  fond  of  saying  that  a  pic¬ 
ture  may  be  worth  a  thousand  words,  but  a 
picture  with  a  control  is  worth  a  thousand 
pictures.  Visual  presentations  of  informa¬ 
tion  need  to  be  interactive.  Today  the  best 
visualization  systems  under  development 
are  following  this  advice. 

Into  the  Lab 

For  example,  a  team  led  by  professor 
Kwan-Liu  Ma  at  the  University  of  Califor¬ 
nia,  Davis,  has  developed  a  program  called 
PortVis  that  makes  it  relatively  easy  for  an 
analyst  to  spot  different  kinds  of  network 
scans.  The  program  can  display  time  lines 
of  activity  by  a  host  or  port;  a  grid  visu¬ 
alization,  in  which  all  of  the  activity  of  a 
network  over  a  period  of  time  is  displayed 
on  a  single  grid;  a  volume  visualization, 
which  extends  the  grid  to  a  three-dimen¬ 
sional  volume;  and  a  port  visualization, 
which  shows  the  activity  on  particular 
TCP/IP  ports  over  time.  When  viewed 
with  this  tool,  different  kinds  of  network 
scans  have  very  distinct  patterns.  The 
hope  is  that  the  analyst  will  be  able  to  rec¬ 
ognize  these  patterns  even  when  they  are 
superimposed  upon  the  noise  and  chatter 
of  a  moderately  busy  network. 

Other  work  Kwan-Liu  Ma’s  team  did 
was  aimed  at  using  advanced  signal  pro¬ 
cessing  to  make  these  attack  patterns 
more  distinctive.  Another  paper  on  the 
website  applies  wavelet  scalograms  to  a 
noisy  block  of  data  and  produces  a  bar 
graph.  Similar  scans  have  similar  bar 
graphs,  while  different  scans  have  very 


different  ones.  Other  visualizations  in  that 
paper  show  how  the  hosts  in  a  network  can 
be  clustered  in  blobs,  trails  and  snakelike 
patterns  depending  on  how  the  attacker 
scanned  them. 

At  the  National  Center  for  Supercom¬ 
puting  Applications,  William  Yurcik  has 
been  developing  tools  for  visualizing  Net- 
Flow  data  for  security  purposes.  Yurcik’s 
tool,  NVisionIP,  features  a  “Galaxy”  view, 
in  which  a  block  of  tens  of  thousands  of  IP 
addresses  can  be  viewed  on  a  single  page: 
Darker  regions  are  responsible  for  more 
network  activity.  The  analyst  can  drill 


and  the  motivation  to  use  the  tool  to  search 
out  anomalies  and  network  events.  Unfor¬ 
tunately,  that’s  rarely  the  case.  As  a  result, 
many  researchers  have  developed  useful 
visualizations,  only  to  have  them  sit  on 
the  shelves  because  the  analysts  just  didn’t 
have  the  time  to  run  them. 

As  a  result,  another  area  of  research 
aims  to  use  these  visualizations  as  inputs 
to  machine  learning  algorithms.  Those 
algorithms  then  learn  what’s  normal  and 
what’s  not,  and  are  programmed  to  bring 
abnormalities  to  the  attention  of  the 
human  operators. 


The  real  value  of  visualization  is  that  it 
makes  it  possible  to  find  things  that  are 
new  and  unexpected— patterns  that  are 
strangely  out  of  place. 


down  to  see  individual  machines.  Another 
tool  lets  the  analyst  see  which  machines 
are  the  sources  and  recipients  of  traffic. 

The  real  value  of  visualization  is  that 
it  makes  it  possible  to  find  things  that  are 
new  and  unexpected— patterns  that  are 
strangely  out  of  place.  You  find  something 
that  looks  weird  and  you  try  to  explain  it. 
Sometimes  the  explanation  is  innocent; 
other  times  it’s  a  malicious  attack. 

A  few  months  ago  I  was  working  with  a 
fellow  researcher  on  a  new  network  secu¬ 
rity  visualization.  We  had  a  system  that 
drew  arrows  on  the  computer’s  screen  that 
symbolized  Internet  connections  through 
the  network  over  time.  Looking  at  the  dis¬ 
play  I  saw  several  hundred  arrowheads 
forming  a  diagonal  line.  “That’s  weird,”  I 
thought.  It  turns  out  that  I  was  looking  at 
a  port  scan.  Elsewhere  on  the  plot  we  saw 
a  series  of  arrows  going  off  in  one  direction 
with  no  packets  sent  in  response.  A  few 
seconds  later  the  pattern  repeated,  then 
repeated  again.  Investigation  revealed  that 
we  were  seeing  queries  to  an  unresponsive 
domain  name  server. 

Many  visualization  tools  require  a 
knowledgeable  analyst  who  has  the  time 


Combining  visualizations  with  machine 
learning  accomplishes  many  of  the  same 
results  that  a  good  data-mining  algorithm 
might.  In  fact,  you  could  think  of  this  as  a 
special  kind  of  data  mining.  The  key  differ¬ 
ence  is  that  it  is  data  mining  that  depends 
on  visualization,  so  it’s  possible  for  a  human 
being  to  jump  into  the  middle  of  the  system 
and  look  at  that  same  picture.  Add  a  few 
controls  and  the  visualization  becomes  an 
interactive  application  that  can  be  used  for 
drilling  down,  getting  additional  informa¬ 
tion  and  rapidly  making  a  determination 
about  a  possible  incident. 

While  it’s  easy  to  see  how  visualization 
is  useful  for  network  traffic,  this  technol¬ 
ogy  can  also  be  applied  to  computer  foren¬ 
sics,  patch  management  and  even  privacy 
policy  enforcement.  But  we  won’t  see  this 
technology  on  the  market  until  compa¬ 
nies  start  demanding  visualizations  that 
deliver  information  that’s  both  useful  and 
meaningful.  Eye  candy  belongs  in  video 
arcades,  not  the  boardroom.  ■ 

Simson  Garfinkel,  CISSP,  is  researching  computer 
forensics  and  human  thought  at  Harvard  University. 
Send  feedback  to  machineshop4cxo.com. 


22  www.csoonline.com  March  2007 


©2007  Sharp  Corporation 


If  you  don't  take  control  of  your  data, 

someone  else  will. 


ENERGY  STAR 


As  an  ENERGY  STAR”' 

Partner.  Sharp  has 
determined  that  this 
product  meets  the 
ENERGY  STAR*  guidelines 
lor  energy  elticiency.  www.bwM.com 


MX-2300 
MX-2700 
MX-3500 
MX-4500 
MX-5500 
MX-6200 
MX- 7000 


to)  Swwity  StJuiwm 


tMost  Outstanding 
Business  Color 
MFP  Line  of  2006 


Scarp  ( 

Security  [ 
Scalability  [ 


MX-SERIES 


MNK 


V\ .  :  <  .  I 


fcM  t .  •  | 

mm 


.....-,  ...  ... 


— 


At  MySpace,  “there’s 
this  really  cool  synergy 
between  doing  safety  for 
business  reasons  and 
doing  safety  because  it’s 
the  right  thing  to  do,”  says 
CSO  Hemanshu  Nigam. 


'AMIMIMWAAMN 


=z 


i iWtWMW' 


AiMVm  a 


sai&fci. 


8J5PWB WWW 


Hi 


’ 

ifiiiH.r.li^^iH^-iV’rtl '.fa- :i-  :-j 


GMMi 


«!■ 


■.  MSWfBJRJv .  £7£- 


'  ‘  :  '  --  ■  ■  -  :' 


wmm*m  I 


4mm 


— 


ass \ 


mrttttmMei* 


mmia 


MHliWWft ^mv~,-^...,. . r.,. 


Cover  Story 


Can  Hemanshu 
Nigam  make 
MySpace  a  safe 
neighborhood— 
without  also  making 
it  an  empty  one? 

By  Sarah  6.  Scalet 


■  .. 


— 


IN  THIS  STORY  Why  Hemanshu  Nigam 
was  convinced  Fox  Interactive  Media  didn't 
want  its  CSO  to  be  just  a  figurehead  ■  How 
he  balances  security  initiatives  and 
openness  ■  What  is  left  for  him  to 
accomplish 


IT  WAS  LATE  AUGUST,  AND  DEPEND- 

ing  on  whom  you  asked,  MySpace  was  either 
a  Web  2.0  prophet  or  the  devil  gone  digi¬ 
tal.  While  the  business  world  was  read¬ 
ing  about  the  social  networking  site’s 
$900  million  deal  with  Google,  its  expan¬ 
sion  into  Australia  and  its  mention  on 
Time  s  list  of  the  50  coolest  websites,  the 
security  community  was  riveted  by  a  different  set  of 
headlines.  “Two  teens  arrested  in  MySpace  hack,” 
read  one.  “Three  teens  accused  of  sexually  assault¬ 
ing  girl  they  met  on  MySpace.com,”  read  another.  A 
third:  “Man  accused  of  raping  MySpace  date.” 

At  a  conference  in  Dallas,  Hemanshu  Nigam  had 
to  address  an  audience  focused  on  the  latter  set  of 
headlines.  And  he  was  about  to  find  out  how  public 
a  stage  he  had  stepped  onto  by  taking  the  job  as 
CSO  of  MySpace,  the  News  Corporation  entity  on 
which  owner  Rupert  Murdoch  is  staking  his  plans 
for  a  digital  future.  An  hour  before  Nigam’s  first 
session,  to  be  given  at  the  annual  Crimes  Against 
Children  conference,  he  and  a  staff  member  headed 
to  the  conference  room  at  the  Hilton  to  set  up.  They 
found  a  line  outside  the  door. 

“We  asked  somebody  in  line,  Are  you  waiting  for 
something?”  recalls  Nigam,  who  is  also  CSO  for  all 
of  Fox  Interactive  Media.  “And  they  said,  Yeah,  for 
the  MySpace  training.  As  soon  as  the  doors  opened, 
people  kept  coming,  and  they  kept  coming,  and  they 
kept  coming.  All  of  a  sudden  you  had  4  feet  by  6  feet 
of  walking  space,  and  all  the  way  up  to  that  you  had 
people  sitting  on  the  floor.  All  the  walls  had  people 
standing.  It  was  crawling  room  only.” 


***■/.*  I 


'  iWinM  ■  *■*:  •** 


,  -  ■J'finli,  .  ...  ■ 


— - 


r'»c 


csoc 


:om 


Cover  Story  |  Social  Media 


People  were  turned  away.  Everyone  wanted 
to  hear  how  MySpace  could  assist  law 
enforcement  with  criminal  investigations. 

Nigam,  a  42-year-old  born  in  India 
and  raised  in  Connecticut,  took  the  stage, 
where  he  spoke  both  with  the  command 
of  a  seasoned  federal  prosecutor  of  child 
crimes  and  the  empathy  of  a  father  of  four. 
He  described  MySpace’s  24-hour  hotline  for 
law  enforcement,  its  track  record  of  helping 
to  find  teenage  runaways  as  well  as  rapists, 
and  its  efforts  to  get  IP  addresses  and  other 
crucial  information  to  officers  as  quickly 
as  possible.  His  words  seemed  to  have 
their  desired  effect:  Afterward,  more  than 
90  percent  of  those  assembled  gave  his  talk 
a  positive  rating. 

“He  seems  to  be  forthcoming  in  saying, 
We  know  there  are  issues  that  need  to  be 
addressed,  and  we  are  addressing  them,” 
conference  organizer  Larry  Robbins  says.  “I 
didn’t  get  the  impression  that  he  was  trying 
to  sweep  something  under  the  rug.” 

Law  enforcement  officers  who  have 
tested  MySpace’s  response  capabilities  say 
it’s  not  just  lip  service.  “I  was  actually  pleas¬ 
antly  surprised,”  says  Deputy  U.S.  Marshal 
Robert  Charette,  who  recently  worked  with 
MySpace  to  track  down  and  arrest  a  man 
wanted  in  two  states  who  was  logging  in  to 
his  MySpace  account  from  a  public  library 
in  Philadelphia.  “We  normally  are  used  to 
waiting  days  and  weeks  on  end  [for  subpoe¬ 
naed  information]  from  phone  companies, 
and  I  expected  a  similar  type  of  response 
from  MySpace.  But  it  was  an  immediate 
response,  and  they  were  extremely  coopera¬ 
tive  and  a  pleasure  to  deal  with.” 

The  fact  is,  the  company  had  better  be. 
MySpace  is  hot.  Last  July,  according  to  the 
research  service  Hitwise,  it  passed  Yahoo 
Mail  to  become  the  most-visited  website 
in  the  United  States.  But  as  the  number  of 
profiles  created  at  the  Web  community  has 
exploded— to  150  million  at  the  time  of  this 
writing,  according  to  the  company— so  too 
has  its  appeal  to  everyone  from  small-time 
drug  dealers  to  pedophiles  to  murderers. 
After  all,  it’s  just  as  easy  for  a  criminal  to 
sign  up  as  it  is  for  a  14-year-old  who  wants 
to  share  soccer  photos  or  chat  about  Justin 
Timberlake. 


The  challenge  for  Nigam  is  to  make  the 
site  a  safer  place  for  users  (and,  of  course, 
advertisers)  without  destroying  the  very 
openness  that  has  made  it  so  popular.  This 
places  Nigam  not  just  front  and  center  at 
conferences  about  child  safety,  but  also  at 
the  very  nexus  of  culture,  commerce  and 
security.  Despite  MySpace’s  seeming  abil¬ 
ity  to  respond  well  when  things  go  wrong, 
it’s  still  far  from  certain  whether  Nigam  can 
make  the  site  measurably  safer  and  more 
secure— and  whether  he  can  ever  do  enough 
to  appease  MySpace  critics,  including  an 
outspoken  group  of  32  state  attorneys  gen¬ 
eral  who  want  to  tighten  access  to  the  site. 

When  Nigam  took  over  last  May,  “there 
was  a  sigh  of  relief  breathed  by  many  folks 
[who  felt]  that  now,  at  least,  something  is 
going  to  get  done.  There’s  an  open  door, 
and  there’s  someone  that  they  can  commu¬ 
nicate  with,”  recalls  Derek  Broes,  a  senior 


vice  president  at  Paramount  Digital  Enter¬ 
tainment,  who  worked  with  Nigam  at  two 
previous  jobs.  “His  biggest  challenge  will 
be  accomplishing  what  MySpace  wants  to 
accomplish  without  damaging  the  company 
itself  and  building  a  poor  user  experience.” 

It’s  no  easy  task.  But  as  Broes  puts  it, 
echoing  the  sentiments  of  others  who  know 
Nigam,  “if  anybody  is  going  to  find  the  solu¬ 
tion,  it’s  going  to  be  Hemu.” 


Nigam’s  New  Space 

Not  long  after  the  media  conglomerate  News 
Corp.  bought  MySpace  for  $580  million  in 
October  2005  and  wrapped  it  up  into  Fox 
Interactive  Media,  the  suits  started  looking 
for  someone  to  help  improve  security  at  the 
once-scrappy  upstart.  Social  networking 
sites  such  as  MySpace,  Facebook  and  Xanga 
had  been  flying  under  the  corporate  radar 
despite  concerns  about  child  safety,  mali- 


26  www.csoonline.com  March  2007 


PHOTO  BY  ANDREW  KIST 


cious  code  and  copyright  infringement.  But 
now  things  were  different.  Not  only  did  the 
largest  of  those  sites’  new  parent  company, 
News  Corp.,  have  deep  pockets  (200 6  rev¬ 
enue:  $25.3  billion)  but  Murdoch  also  was 
counting  on  MySpace  to  be  a  big  part  of  his 
company’s  strategy  going  forward.  In  fact, 
the  News  Corp.  chairman  and  CEO  told 
investors  it  was  a  $6  billion  property.  (A 
Chinese  company  owned  by  IDG,  parent  of 
CSO’s  publisher,  is  in  talks  with  MySpace  to 
invest  in  a  Chinese  version  of  the  site.) 

Ernie  Allen,  longtime  president  of  the 
National  Center  for  Missing  and  Exploited 
Children,  soon  got  a  phone  call  from  some¬ 
one  at  Fox  Interactive  Media,  who  wanted 
his  recommendation  on  CSO  job  candidates 
with  credibility  on  child  safety  issues  as  well 
as  a  solid  understanding  of  technology. 
Nigam  immediately  came  to  mind. 

The  two  men  had  known  one  another  for 


If  you  look  at 
the  problems 
that  MySpace 
has  fixed  or 
improved, 
it’s  very 
encouraging. 
But  theres 
more  to  do,  and 
the  challenge 
is  daunting. 

-ERNIE  ALLEN,  PRESIDENT, 
NATIONAL  (  ENTER  FOR  MISSING 
AND  EXPLOITED  CHILDREN 


more  than  a  decade,  since  Nigam’s  days  as  a 
federal  prosecutor  for  the  U.S.  Department 
of  Justice,  where  he  specialized  in  Internet- 
related  child  pornography,  child  predator, 
women  and  child  trafficking,  and  computer 
crime  cases.  Later,  they  worked  together 
when  Nigam  was  director  of  consumer 
security  outreach  and  child  safe  comput¬ 
ing  at  Microsoft.  (In  between  the  two  jobs, 
Nigam  was  a  vice  president  for  the  Motion 
Picture  Association  of  America,  where  he 
worked  on  antipiracy  initiatives.)  Allen  had 
high  regard  for  Nigam’s  integrity  and  abil¬ 
ity  to  get  things  done.  “I  thought  his  back¬ 
ground  was  exactly  what  they  needed,”  he 
recalls,  and  said  as  much  to  the  person  on 
the  other  end  of  the  line. 

At  Microsoft,  Nigam  got  a  call  too. 
“Somebody  said,  can  you  call  a  friend  of 
mine  at  MySpace  and  talk  to  them  because 
you  know  child  safety?  And  that  turned  into, 
would  you  like  to  work  here?  Then  I  called 
Ernie  and  said,  what  do  you  think  of  this? 
I  don’t  want  to  go  somewhere  just  because 
they’re  looking  for  a  name  from  Microsoft. 
I  want  to  go  there  because  I'm  really  going 
to  make  a  difference,”  Nigam  says. 

Allen  was  convinced  that  in  offering 
Nigam  the  job,  Fox  Interactive  Media  had 
shown  that  it  was  looking  for  more  than  a 
figurehead  to  appease  shareholders  and  talk 
to  The  Wall  Street  Journal.  “I  said  to  them, 
you  should  not  hire  somebody  like  Hernu  if 
the  purpose  of  this  is  pure  PR,  because  his 
whole  history  is,  he’s  a  doer,”  Allen  recalls. 
“He  makes  things  happen.  He  tackles  chal¬ 
lenges  and  tries  to  solve  them.” 

Despite  the  fact  that  the  job  would  mean 
relocating  his  wife  and  four  young  children 
from  Washington  state  to  Los  Angeles,  the 
opportunity  was  enticing.  “The  reality  is 
this  company  got  hit  with  the  worst  kind  of 
thing  a  company  can  get  hit  with,  and  that’s 
predators,  but  it  got  hit  at  the  best  possible 
time  that  a  company  can  get  hit  with  a  prob¬ 
lem  like  that,  and  that’s  at  its  nascent  stage 
of  development,”  Nigam  says.  “The  com¬ 
pany  hadn’t  been  built  in  a  way  that  it  was 
going  to  be  stuck  in  its  ways.  It  was  only  a 
year  and  a  half  old.  If  they’d  called  me  three 
years  from  now,  I  wouldn’t  even  think  about 
it.  Now  is  the  time  to  set  the  stage.” 


The  public  reaction  to  Nigam’s  appoint¬ 
ment  was  swiff  and  positive.  With  his  legal 
background,  technology  smarts  and  reputa¬ 
tion  as  a  defender  of  children,  all  his  experi¬ 
ence  seemed  to  lead  him  to  this  point. 

“We  were  all  optimistic  about  MySpace’s 
hiring  of  [Nigam],  because  we  felt  that  they 
would  be  able  to  implement  effective  mea¬ 
sures,”  says  Jay  Chaudhuri,  special  counsel 
to  North  Carolina  Attorney  General  Roy 
Cooper,  the  cochairman  of  a  group  of  32 
attorneys  general  who  have  been  trying  to 
push  MySpace  to  improve  its  safety  and 
security  practices. 

But  now,  the  honeymoon  is  over. 

“In  the  last  six  months,  MySpace  has 
certainly  made  some  changes,”  Chaudhuri 
says,  “but  are  they  sufficient  to  protect  chil¬ 
dren  online,  and  do  a  majority  of  attorneys 
general  think  MySpace  is  a  safe  'place  for 
friends,’  as  they  like  to  call  it?  I  think  the 
answer  is  no.” 

Pushing  for  Change 

Within  weeks  of  Nigam’s  start  date  of  May 
1,  2006,  MySpace  was  proclaiming  new 
measures  to  improve  safety  and  security. 
First,  the  company  would  block  members 
who  list  their  age  as  over  18  from  contacting 
members  who  are  14  or  15,  unless  the  adult 
knows  either  the  young  member’s  full  name 
or  e-mail  address.  (MySpace  says  that  mem¬ 
bers  must  be  at  least  14  years  old  but  does 
not  verify  age,  which  is  still  a  point  of  much 
contention.)  Second,  the  company  would 
allow  members  of  any  age,  and  not  only 
14-  and  15-year-olds,  to  set  their  profiles  to 
private,  making  their  full  information  avail¬ 
able  only  to  people  within  their  network  of 
“friends.”  Third,  the  company  would  start 
targeting  ads  based  on  age,  to  ensure  that 
members  under  18  don’t  see  ads  for  tobacco 
or  dating  services  and  that  members  under 
21  don’t  see  ads  for  alcohol.  (This  targeting 
of  ads  certainly  fits  into  a  larger  strategy; 
Eric  Openshaw,  national  managing  director 
of  the  technology,  media  and  telecommuni¬ 
cations  group  at  Deloitte  Consulting,  says 
that  the  amount  of  information  members 
provide  to  MySpace  makes  it  a  “market¬ 
ing  data  gold  mine”  that  might  allow  News 
Corp.  eventually  to  recoup  its  investment.) 

March  2007  www.csoonline.com  27 


Cover  Story  |  Social  Media 


Other,  quieter  changes  were  made.  For 
instance,  MySpace  employees  noticed  that 
some  young  members  were  listing  their 
age  as  69  (shorthand  for  a  sexual  position). 
Older  members  were  then  running  searches 
for,  say,  69-year-olds  under  four  feet  tall,  in 
hopes  of  finding  young  members  interested 
in  sex.  Now,  members  can  no  longer  browse 
for  people  over  the  age  of  68. 

From  his  third-floor  office  at  the  stu¬ 
diously  hip  new  digs  in  Beverly  Hills  that 
News  Corp.  built  for  Fox  Interactive  Media, 
Nigam  takes  a  pragmatic  approach  to  these 
types  of  changes.  He  works  with  his  team 
to  create  what  he  calls  an  issue  list.  “We 
look  at,  what  are  hackers  doing,  what  are 
predators  doing?”  he  says.  “Then  we  go  to 
our  engineers  and  say,  suppose  you  have  no 
worries  about  resources— what  can  we  do 
to  solve  these  issues?  Is  there  a  change  we 
can  make  or  feature  we  can  add?”  Once  they 
have  this  list  in  hand,  they  try  to  figure  out 
which  five  or  10  things  they  can  do  to  hit 
80  percent  of  the  problem,  and  they  build 
the  priority  list  from  there. 

Perhaps  the  biggest  change  to  grow 
from  this  issue  list  is  an  attempt  to  block 
known  sex  offenders  from  the  site.  A  con¬ 
stant  stream  of  news  reports  of  children 
lured  into  meeting  ill-intentioned  adults 
they  chatted  with  on  MySpace  have  battered 
the  site’s  reputation.  One  woman  and  her 
14-year-old  daughter  sued  MySpace  for 
$30  million,  after  the  girl  was  allegedly  sex¬ 
ually  assaulted  by  a  19-year-old  man  she  met 
on  MySpace.  (The  case  was  dismissed  in  Feb¬ 
ruary.)  An  investigation  published  by  Wired 
in  October  found  hundreds  of  registered  sex 
offenders  who  had  created  MySpace  profiles 
using  their  real  names,  and  some  of  them 
were  busy  collecting  young  “friends.”  So  in 
December,  MySpace  announced  that  it  was 
partnering  with  Sentinel  Tech  Holding,  a 
background  verification  vendor,  to  build 
a  central,  national  database  of  known  sex 
offenders— information  that  previously  had 
been  scattered  across  numerous  federal  and 
state  databases.  The  technology,  known  as 
Sentinel  Safe,  will  allow  MySpace  to  block 
those  users  from  the  site.  (MySpace  says  its 
competitors  can  use  the  database  as  well.) 

Critics  were  quick  to  point  out  that  the 


Meet  Hemanshu  Nigam 


Name:  Hemu  Nigam 

Headline:  "Safety  innovation  never  sleeps...” 

Gender:  Male 
Age:  42  years  old 

Location:  Beverly  Hills,  CALIFORNIA 
Status:  Married 

Hometown:  Born  in  Kanpur,  India.  Raised  in 
Connecticut. 

Zodiac  Sign:  Capricorn 

Children:  Four,  ages  11, 10,  6  and  21  months 

Education:  Bachelor’s  degree,  law  degree 

Hemu’s  Companies 

Fox  Interactive  Media/MySpace 

Chief  Security  Officer,  2006-present 

Microsoft 

Various  jobs,  including  Director  of  Consumer 
Security  Outreach  and  Child  Safe  Computing 
for  the  Security  Technology  Unit,  2002-2006 

Motion  Picture  Association  of  America 

VP  of  Worldwide  Internet  Enforcement, 
2000-2002 


U.S.  Department  of  Justice,  Criminal  Division 

Attorney  in  the  Child  Exploitation  and 
Obscenity  Section  and  the  Computer  Crime 
and  Intellectual  Property  Section 
1997-2000 

Los  Angeles  District  Attorney’s  Office 

Deputy  District  Attorney,  handling 
felony  and  misdemeanor  cases  and  also 
serving  in  the  sex  crimes  unit,  where  he 
specialized  in  cases  involving  adult  rape, 
child  molestation  and  child  abuse 
1990-1997 

Hemu's  Schools 

Boston  University  School  of  Law 

Boston,  Mass. 

Graduated  1990 

Wesleyan  University 

Middletown,  Conn. 

Major:  Political  theory  and  government 
Graduated  1987 


28  www.csooni  ne.com  March  2007 


PHOTO  BY  DANIEL  HENNESSEY 


© 


There  isn't  much  IT  managers  won't  try  when  it  comes  to  protecting  email  and  file  transfers. 
But  drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting  valuable  resources  and 
hindering  employee  productivity.  Tumbleweed  delivers  serious  protection,  simply.  With  a 
product  suite  that's  quick  to  deploy,  easy  to  manage  and  intuitive  to  use,  your  messages  are 
guaranteed  a  safe  flight. 


There's  an  easier  way  to  secure  your  messaging. 

(Without  resorting  to  dubious  methods.) 


Tumbleweed 

www.tumbleweed.com/easierway  Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


Cover  Story  |  Social  Media 


move  would  simply  force  registered  sex 
offenders  to  use  aliases,  but  MySpace  has 
been  lobbying  on  that  front  too.  On  the  heels 
of  the  Sentinel  Safe  announcement  came  a 
PR  coup:  Sens.  John  McCain  (R-Ariz.)  and 
Charles  Schumer  (D-N.Y.)  announced  plans 
to  introduce  legislation  that  would  force 
registered  sex  offenders  to  disclose  their 
e-mail  addresses  to  law  enforcement.  Using 
a  nonregistered  e-mail  address  would  be  a 
violation  of  probation  or  parole.  The  law,  if 
passed,  would  provide  MySpace  with  more 
information  with  which  to  make  a  match. 
In  Virginia,  the  attorney  general  pushed  for 
similar  state  legislation. 

Meanwhile,  reports  were  whirling  about 
malicious  code  running  through  the  site.  In 
one  earlier  case,  a  teenager  known  as  “Sarny” 
exploited  a  cross-site  scripting  vulnerabil¬ 
ity,  adding  a  piece  of  code  to  his  profile  that 
within  20  hours  infected  the  profiles  of  more 
than  1  million  users— and  garnered  him 
more  than  1  million  automated  requests  to 
be  each  user’s  “friend.”  (He  pled  guilty  and 
was  sentenced  in  January.)  Another  worm 
exploited  a  flaw  in  Apple  QuickTime  to  steal 
log-in  credentials  of  users  and  spread  spam; 
one  security  vendor  estimated  that  one  in 
three  profiles  was  affected. 

As  a  result,  Nigam  is  now  turning  more 
of  his  attention  to  computer  security  issues, 
pulling  together  a  dedicated  group  that  will 
respond  to  incidents  and  work  on  education 
and  awareness— both  for  MySpace  engi¬ 
neers,  who  need  additional  training  on  how 
to  write  secure  Web  applications,  and  for 
members,  who  can  protect  themselves  by 
installing  antivirus  software  and  firewalls 
and  by  keeping  their  software  patched. 

In  the  background  of  all  this,  the  basic 
sleuth  work  continues.  MySpace’s  terms 
of  service  prohibit  members  from  post¬ 
ing  photos  or  videos  that  contain  nudity, 
hate  speech  or  illegal  drug  use,  or  ones 
that  infringe  upon  copyright  laws,  but  it’s 
a  constant  battle  to  keep  that  kind  of  mate¬ 
rial  off  the  site.  The  24/7  support  opera¬ 
tions  team— currently  about  40  percent 
of  MySpace’s  300-person  staff— manually 
reviews  the  7  million  images  and  videos  that 
are  posted  every  day.  They  also  run  searches 
to  try  to  find  underage  users  who  post  infor¬ 


mation,  like  the  name  of  the  elementary 
school  they  attend,  that  indicates  they  are 
not  at  least  14  years  old.  The  company  says 
it  currently  shuts  down  about  30,000  pro¬ 
files  of  underage  users  each  week.  (Nigam 
wouldn't  discuss  any  specifics  regarding 
copyright  infringement,  citing  an  ongoing 
lawsuit  that  was  filed  in  November  by  Uni¬ 
versal  Music,  which  claims  that  the  founda¬ 
tion  of  MySpace  is  “‘user-stolen’  intellectual 
property  of  others,”  with  MySpace  “a  willing 
partner  in  that  theft.”) 

Still,  the  reports  of  unsavory  characters 
on  the  site  continue,  as  attested  by  a  quick 
visit  to  the  crowded  MyCrimeSpace.com, 
which  tracks  crimes  related  to  MySpace 
and  other  social  networking  sites.  “I  don’t 
think  whatever  security  measures  [Nigam] 
put  in  place  are  being  all  that  effective,”  says 
Trench  Reynolds,  the  nom  de  blog  of 
the  North  Carolina  dad  and  “9  to 
5-er”  who  runs  the  site  in  his 
spare  time.  “MySpace  can 
only  do  so  much  on  their  end 
of  things.  Parents  need  to  do  a 
better  job  monitoring  their  kids’ 
activities.” 

“Anytime  you  have 
users  interacting  in 
one  location,  even¬ 
tually  you’re  going 
to  have  bad  people 
show  up,”  acknowl¬ 
edges  Nigam,  who  has  a 
disarmingly  straightforward 
manner  when  questioned 
about  problems  on  the  site.  Dur¬ 
ing  an  interview  that  lasts  the  better  part 
of  a  workday,  he  manages  to  come  across 
as  polished  without  being  slick,  with  short 
black  hair  that’s  spiked  up  on  top  to  mini¬ 
mize  the  thinning— the  former  fed  trying 
to  fit  in  at  a  company  where  he  is  at  least 
a  decade  older  than  most  of  his  coworkers. 
For  him,  he  explains,  the  fact  that  his  secu¬ 
rity  initiatives  are  not  100  percent  effective 
is  beside  the  point. 

“There  are  lots  of  things  a  bad  guy  could 
do  to  get  around  systems  that  are  in  place,” 
says  Nigam  simply,  his  navy  blazer  draped 
over  an  empty  chair  next  to  him.  “But  from 
our  perspective,  that  doesn’t  mean  you  don’t 


put  the  systems  in  place.  You  do  everything 
you  can.  You  predict  and  you  attack,  you  fix, 
you  change,  you  make  it  difficult.  And  while 
you’re  making  it  difficult,  you  constantly 
raise  awareness  around  what’s  going  on.” 

The  Business  Balance 

None  of  what  Nigam  has  done,  of  course, 
is  enough  to  appease  MySpace’s  critics.  The 
copyright-infringement  lawsuit  filed  by  Uni¬ 
versal  Music,  which  is  owned  by  Vivendi— 
another  international  media  juggernaut— is 
unlikely  to  go  away  easily.  In  January,  four 
more  families  sued  MySpace  for  millions  of 
dollars,  claiming  their  underage  daughters 
were  sexually  abused  by  adults  they  met  on 
the  site.  The  U.S.  House  of  Representatives 
has  passed,  and  the  Senate  is  considering, 
legislation  that  would  require  public  schools 
and  libraries  to  restrict  the  use  of 
social  networking  websites  by 
minors.  And  the  group  of  state 
attorneys  general,  threatening 
legal  action,  is  not  budging  on 
what  they  see  as  the  need  for 
MySpace  to  institute  age  verifi¬ 
cation. 

“All  the  changes  they’ve  made 
have  certainly  been  positive,  but 
as  we’ve  expressed  to  them, 
they’re  not  the  most  effective 
means  of  protecting  children 
online,”  says  Chaudhuri  of 
the  North  Carolina  attorney 
general’s  office.  “They’re  all 
changes  on  the  margin  and 
don’t  focus  on  the  critical  issue 
of  trying  to  distinguish  the  child  from  the 
adult  or  the  adult  from  the  child.” 

Nigam  hints  that  he  would  like  to  fig¬ 
ure  out  how  to  solve  this  problem.  In  fact, 
MySpace’s  partner  on  the  sexual  predators 
database,  Sentinel  Tech,  says  it  does  provide 
age  verification.  “It  should  be  telling  that 
we’re  partnering  with  a  company  that  offers 
that,  and  we’re  not  using  that  part  of  it,” 
Nigam  says  when  quizzed.  “It  is  extremely 
difficult  to  verify  the  age  of  people  who  are 
under  the  age  of  18.  Publicly  available  data 
does  not  exist.  We  do  think  parents  can  have 
a  role  in  it,  and  we’re  examining  what  can 
be  done  with  parental  involvement.”  Soon 


30  www.csoonline.com  March  2007 


There's  an  easier  way  to  keep  Maria  in  Sales 
from  handling  infected  attachments. 

(Without  hindering  her  motor  skills.) 

There  isn't  much  IT  managers  won't  try  when  it  comes  to  anti-virus  protection  and  stopping 
sensitive  data  leakage.  But  drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting 
valuable  resources  and  hindering  employee  productivity.  Tumbleweed  delivers  serious 
protection,  simply.  With  a  product  suite  that's  quick  to  deploy,  easy  to  manage  and  intuitive 
to  use,  exceptional  protection  is  at  your  fingertips. 


<J^>  Tumbleweed 

www.tumbleweed.com/easierway  Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


Cover  Story  |  Social  Media 


A  MySpace  Time  Line 


after,  MySpace  announced  that  it  was 
developing  free  software  that  parents 
could  install  on  their  home  computers 
to  monitor  what  name,  age  and  location 
their  children  are  using  at  the  site. 

The  question  going  forward  is  whether 
the  changes  Nigam  has  made— and  the 
changes  he  continues  to  push  for— can 
actually  make  the  site  measurably  safer, 
without  making  it,  well,  uncool.  Already, 
MySpace  s  demographic  is  skewing  older 
than  competing  sites.  According  to  com- 
Score  Media  Metrix  (which  measures 
Internet  usage),  percentage- wise  almost 
twice  as  many  users  of  the  competing  site 
Xanga,  which  welcomes  users  as  young 
as  12,  are  under  the  age  of  18. 

A  demographic  change,  if  prompted 
by  increased  security  controls,  might 
be  the  kiss  of  death— or  it  might  be  a 
blessing.  “There  are  two  arguments 
there,”  says  Openshaw  from  Deloitte 
Consulting.  “If  you  increase  the  level  of 
security  and  control  and  filtering,  you 
might  slow  [the  adoption  rate]  down, 
or  it  might  increase  because  you  make 
it  palatable  to  a  whole  other  segment 
of  the  population  that  might  be  wall¬ 
ing  to  use  it”— adults  who  want  to  share 
information  with  friends  and  family  but 
who  also  want  assurance  of  privacy  and 
security.  Already,  comScore  says,  a  sur¬ 
prising  half  of  MySpace  users  are  age  35 
or  older,  and  MySpace  reports  that  its 
fastest-growing  population  is  between 
the  ages  of  35  and  42. 

Whichever  way  MySpace  is  trend¬ 
ing,  if  you  believe  that  social  network¬ 
ing  is  not  just  a  fad— that  we  have  truly 
entered  a  world  of  consumer-to-con- 
sumer  interaction  on  the  Web— then  you’d 
better  hope  that  Nigam  can  find  the  right 
balance  between  security  and  commerce. 
“We  can  make  these  things  absolutely  safe 
and  secure,”  says  Allen  from  the  Center  for 
Missing  and  Exploited  Children,  adding, 
“but  do  we  then  drive  people  into  offshore 
versions  of  this  that  are  beyond  regulation?” 
Ones  that  don’t  have  24-hour  hotlines  for 
law'  enforcement  or  someone  in  charge  who 
is,  yes,  regularly  willing  to  talk  to  the  press 
when  bad  things  happen  on  its  site? 


January  2004 

Official  site  launch  of  MySpace 

February  2004 

1  million  members 

November  2004 

5  million  members 

October  2005 

$580  million  acquisition 
by  News  Corporation 

May  2006 

Hemanshu  Nigam  hired 
as  CSO 

June  2006 

80  million  members 

■  MySpace  announces  it  will 
block  adults  from  contacting  14-  and 
15-year-olds  without  knowing  their 
e-mail  address  or  full  name,  make  privacy  settings 
available  for  all  users,  and  block  alcohol  and 
tobacco  ads  for  underage  users 

August  2006 

100  million  members 

October  2006 

■  Wired  reports  that  hundreds  of  registered  sex 
offenders  have  created  MySpace  pages  using  their 
own  names 

December  2006 

135  million  members 

■  Worm  using  QuickTime  exploit  spreads  through 
MySpace 

■  MySpace  announces  a  plan  for  blocking 
convicted  sex  offenders  from  the  site 

January  2007 

■  Four  families  sue  MySpace,  claiming  their 
underage  daughters  were  sexually  abused  by 
adults  they  met  on  the  site 

■  MySpace  announces  that  it's  developing  free 
software  that  parents  can  use  to  monitor  public 
information  their  children  post  at  the  site 

February  2007 

150  million  members 


“If  you  look  at  the  problems  that  they  have 
fixed  or  improved,  it’s  very  encouraging,” 
Allen  says.  “But  there’s  more  to  do,  and  the 
challenge  is  daunting.  It’s  the  kind  of  thing 
that’s  going  to  require  continuing  commit¬ 
ment,  continuing  dedication  and  continuing 
communication.  This  is  one  of  those  things 
that’s  not  going  to  be  solved  quickly.” 

Nigam,  for  his  part,  is  bullish  that  not 
only  will  his  changes  make  the  site  more 
secure  but  that  they’ll  also  improve  the 
business.  Although  he  likes  to  present  what 


he’s  doing  as  a  public  service,  as  if  talk¬ 
ing  about  making  money  were  crass,  he 
insists  that  there  is  a  strong  business 
benefit  to  his  role. 

“The  advertisers  who  talk  to  us  are 
saying,  If  your  site  has  people  who  are 
getting  victimized  or  hit  by  viruses 
and  there  are  dangers  there,  then  we 
don’t  want  to  align  our  brand  with 
yours,”  Nigam  says.  “So  there’s  this 
really  cool  synergy  between  doing 
safety  for  business  reasons  and 
doing  safety  because  it’s  the  right 
thing  to  do.  You  don’t  find  that  in 
many  places.  The  [safer  it  is],  the 
greater  your  reputation;  the  greater 
your  reputation,  the  more  advertisers 
feel  comfortable  in  talking  to  the  135 
million  people  who  are  on  the  site.  If  you 
don’t  do  that,  then  you  have  135  million 
units  of  overhead  cost,  and  that’s  one  of 
the  worst  investments  you  could  make.” 

During  a  phone  call  weeks  later,  he 
expands  on  this  point,  saying  that  all 
the  talk  about  the  business  rationale  for 
improving  security  on  MySpace  recalled 
the  driving  rationale  of  his  career. 

“I  remember  my  first  day  of  training 
in  the  Los  Angeles  District  Attorney’s 
office,  and  the  deputy  stood  up  to  give 
us  a  speech  about  what  it’s  like  to  work 
in  the  DA’s  office,”  he  says.  “Near  the  end 
of  it  he  said,  ‘You  know,  one  of  the  great¬ 
est  things  you’re  going  to  find  out  about 
this  job  is  every  single  day,  you  get  to 
come  to  work  and  do  the  right  thing.’  I 
heard  that,  and  I  was  like,  I  guess  I’m 
never  going  to  leave.  And  so  every  single 
time  I’ve  gone  to  a  new  job,  I  go  mentally 
through  that  debate  of,  am  I  going  to  go 
there  to  do  the  right  thing?  Coming  here,  I 
kept  thinking  to  myself,  you  know,  if  I  join 
I  can  come  to  work  to  do  the  right  thing. 
Keeping  our  members  safe,  that’s  doing  the 
right  thing.  Keeping  our  site  secure,  that’s 
doing  the  right  thing.  And  when  we  do  that, 
it  has  a  major  business  impact,  and  that  just 
makes  it  all  the  better. 

“I’m  the  guy  who  gets  to  come  to  work  to 
do  the  right  thing.”  ■ 


Reach  Senior  Editor  Sarah  D.  Scalet  at  sscalet  ^cxo.com. 


32  www.csoonline.com  March  2007 


There's  an  easier  way  to  safely  transfer  Todd's 
financial  data  over  FTP. 

(Without  wasting  manpower  on  costume  design.) 

There  isn't  much  IT  managers  won't  try  when  it  comes  to  securing  file  transfers.  But 
drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting  valuable  resources  and 
hindering  employee  productivity.  Tumbleweed  delivers  serious  protection,  simply.  With 
a  product  suite  that's  quick  to  deploy,  easy  to  manage  and  intuitive  to  use,  file  transfers 
are  a  snap — no  masterful  disguises  necessary. 


Tumbleweed 

www.tumbleweed.com/easierway  Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


csoonl 


An  acrimonious  court  case  between 
two  athletic  gear  companies  provides 
strategies  for  discouraging  intellectua 
property  theft— and  dealing  with 
accusations  when  they  arise 


By  Scott  Berinato 


•;  *  i  m 


Two  years  ago  this  month,  a  man  named  Homayoun  Ghas- 
semi— who  goes  by  the  shorter  nickname,  Holmes— resigned 
as  director  of  hockey  marketing  at  sporting  goods 
company  Easton  Sports.  The  same  day,  Ghassemi 
accepted  a  job  at  Warrior  Lacrosse,  owned  by  the 
Boston-based  sneaker  company  New  Balance.  War¬ 
rior  was  clearly  planning  to  face  off  with  Easton  by 
purchasing  Innovative  Hockey,  another  vendor  in  the  hockey  stick  busi¬ 
ness.  •  Eight  days  after  he  resigned,  Ghassemi  gathered  his  stuff,  met  with 
Easton  execs  once  more  and  then  left  for  good.  •  But  his  computer  stayed 
behind,  and,  in  a  sense,  this  meant  that  Holmes  Ghassemi— some  past, 
digital  version  of  him  anyway— remained  at  Easton.  A  Shadow  Holmes  of 
sorts.  The  company  was  free  to  continue  its  exit  interview  with  Ghassemi, 
in  the  form  of  a  forensics  investigation  of  his  computer.  This  digital  ghost, 
this  Shadow  Holmes,  told  Easton  extraordinary  things— that,  for  example, 
a  month  before  he  resigned,  Ghassemi  had  forwarded  a  "Hockey  Business 
Model"  to  Warrior  from  his  Yahoo  e-mail.  The  model  included  a  projec¬ 
tion  that  he  could  make  the  hockey  unit  a  $50  million  business  in  five 
years.  Shadow  Holmes  told  Easton  that  he  had  forwarded  Easton  files  to 

ine.com  March  2007 


IN  THIS 
STORY  Howto 
prevent  destruction  of 
evidence  ■  What  to  do  when 
employees  allegedly  delete 
evidence  ■  The  increasing 
complexity  of  electronic 
discovery  / 


ILLUSTRATION  BY  ZACHARY  PULLEN 


m - - - - 


Investigations 


his  personal  Yahoo  account  in  the  month  lead¬ 
ing  up  to  his  resignation,  and  that  he  accessed 
about  200  files  on  his  office  computer  the  day 
before  he  resigned,  and  dozens  more  on  the  day 
he  left  for  good. 

The  digital  Shadow  Holmes  told  Easton 
enough  for  the  company’s  lawyers  to  inform 
Warrior’s  lawyers  that  Ghassemi  was  suspected 
of  stealing  trade  secrets.  Warrior  said  it  would 
investigate  and  immediately  amended  Ghas- 
semi’s  employment  offer  to  say  he  shouldn’t 
bring  anything  from  Easton.  In  a  subsequent 
letter  Warrior  denied  that  Ghassemi  “retained 
any  documents  from  Easton.”  Easton  replied 
with  a  screen  shot  of  Ghassemi’s  old  computer 
showing  Ghassemi’s  file  access  on  that  Sunday 
before  he  resigned.  Warrior  lawyers  wanted  to 
be  sure,  so  they  asked  Ghassemi  directly  if  he’d 
taken  confidential  information  from  Easton.  Ghassemi  said  no  and 
submitted  affidavits  reaffirming  the  denial. 

Easton  nevertheless  filed  suit  in  U.S.  District  Court,  charg¬ 
ing  Warrior  with  conducting  a  “campaign  of  industrial  espio¬ 
nage,  stealing  Easton’s  trade  secrets  and  raiding  its  employees.” 
The  complaint  accuses  Ghassemi  of  secretly  brokering  Innova¬ 
tive  Hockey’s  sale  to  Warrior  when  Ghassemi  knew  that  Easton 
was  also  pursuing  Innovative.  It  accuses  him  of  “soliciting”  other 
Easton  employees  (some  successfully)  to  work  for  Warrior.  And 
it  accuses  him  of  forwarding  documents  containing  Easton  trade 
secrets  to  his  Yahoo  e-mail. 

What  at  first  seemed  like  humdrum  career  advancement  and 
corporate  competition  has  since  morphed  into  a  cautionary  tale. 
Easton  v.  Warrior  Lacrosse  remains  unresolved,  but  already  it  has 
become  a  textbook  case  for  CSOs  to  learn  how  to  handle  employees 
coming  from  and  going  to  competitors,  the  vicissitudes  of  main¬ 
taining  trade  secrets  in  an  age  of  hyperportable  technology  and 
public  e-mail,  and  the  ramifications  of  not  preparing  for  the  even¬ 
tuality  of  a  trade  secret  dispute. 

The  day  after  Easton  sued,  as  Easton  asked  a  judge  for  per¬ 
mission  to  inspect  Warrior  computers,  Ghassemi  canceled  his 
Yahoo  account,  effectively  destroying  it.  Twice  more  in  the  next 
six  months,  Ghassemi  would  deny  wrongdoing,  once  under  oath 
during  his  deposition.  But  Easton  forensics  investigations  pro¬ 
duced  two  startling  discoveries:  Ghassemi’s  computer  at  his  new 
company  had  “experienced”  a  CD  that  contained  six  Easton  file 
names  and  “appeared”  to  have  been  created  on  the  Saturday  before 
Ghassemi  resigned  from  Easton.  Also,  two  more  Easton  file  names, 
traceable  to  the  extinct  Yahoo  account,  were  found  on  his  Warrior 
hard  drive. 

Easton  filed  a  motion  requesting  sanctions  when  it  discovered 
that  Ghassemi  had  scotched  the  Yahoo  account.  In  his  ruling  on 
the  motion,  from  which  all  of  the  above  findings  of  fact  are  taken, 
Judge  Donald  A.  Scheer  calls  Ghassemi’s  denials  of  leaving  Easton 


with  confidential  information  “false.”  He  calls 
Ghassemi’s  inability  to  recall  certain  events  “to 
say  the  least,  incredible.”  And  finally,  he  writes: 

“No  innocent  explanation  for  Ghassemi’s 
destruction  of  his  Yahoo  account  has  been  pre¬ 
sented.  Nor  has  he  explained  the  fact  that  data 
from  a  CD  he  admitted  making  but  denied 
taking  from  Easton  was  found  on  his  Warrior 
computer.  There  is  definite  evidence  that  Easton 
information  was  transmitted  to  a  Warrior  com¬ 
puter  both  from  that  CD  and  from  Ghassemi’s 
Yahoo  account.  Ghassemi  unquestionably  knew 
that,  and  a  case  can  be  made  that  Warrior  should 
have  done  more  to  detect  and  preserve  the  rel¬ 
evant  data  under  Ghassemi’s  control.” 

It  was,  the  judge  ruled,  spoliation  of  evidence. 
He  stopped  just  short  of  entering  a  default  judg¬ 
ment  Easton  had  sought  (which  would  amount 
to  a  ruling  in  favor  of  the  plaintiff  without  a  trial)  but  still  imposed 
a  serious  sanction,  an  adverse  inference  instruction.  That  means 
that  when  the  case  goes  to  trial,  Easton  can  tell  the  jury  that  evi¬ 
dence  was  destroyed,  and  the  jury  will  be  instructed  that  it  may 
presume  that  the  destroyed  evidence  would  have  helped  Easton’s 
case. 

“It’s  like  the  gap  in  the  Watergate  tapes,”  says  Philip  Gordon,  an 
attorney  who  specializes  in  workplace  privacy  and  trade  secrets 
litigation  with  the  firm  Littler  Mendelson.  “Ask  99.9  percent  of 
people  and  they  assume  that  what  was  destroyed  was  bad  for 
Nixon.  This  is  the  same  thing.  It’s  almost  a  silver  bullet  for  the 
plaintiff-.  It’s  a  very  significant  sanction.” 

One  of  the  most  notable  cases  involving  spoliation  of  evidence 
is  a  gender  discrimination  case,  Zubulake  v.  UBS  Warburg,  in 
which  some  e-mails  that  should  have  been  preserved  as  evidence 
were  destroyed.  The  jury  was  given  an  adverse  inference  instruc¬ 
tion.  The  plaintiff,  Laura  Zubulake,  was  eventually  awarded  an 
unprecedented  $24.7  million.  Says  Michele  Lange,  a  staff  attor¬ 
ney  with  forensics  firm  Kroll  OnTrak,  “Certainly  adverse  inference 
played  a  major  role  for  the  jurors  in  that  outcome.” 

CSOs  play  a  central  role  in  preventing  trade  secret  leaks.  But 
given  technology  like  anonymous  e-mail  boxes  and  USB  keys,  it’s 
getting  far  more  difficult  to  prevent  information  leakage.  So  CSOs 
must  also  learn  to  anticipate  situations  where  trade  secrets  are  at 
risk,  and  lead  when  it  comes  time  to  manage  an  incident.  Here  are 
11  lessons  for  how  to  prepare  for  trade  secret  misappropriation  and 
avoid  messy  situations  like  the  one  Warrior  (which,  it’s  important 
to  remember,  is  innocent  until  proven  guilty)  finds  itself  in. 

1  Create  mirror  images  of  hard  drives.  The  security  team,  work¬ 
ing  with  IT,  should  always  replicate  a  departing  employee’s  disk 
drive  the  day  that  person  leaves  for  a  competitive  company.  “When 
we  give  advice  to  clients,”  says  Lange,  “this  is  absolutely  number 
one  on  the  list.”  For  large  companies  that  may  have  hundreds  of 


CSOs  play  a 
central  role 
in  preventing 
trade  secret 
leaks.  But  given 
technology  like 
anonymous 
e-mail  boxes 
and  USB  keys, 
it’s  getting  far 
more  difficult 
to  prevent 
information 
leakage. 


36  www.csoonline.com  March  2007 


employees  coming  and  going  daily,  Lange  suggests  that  the 
security  team  identify  the  riskiest  departures,  usually  those 
with  high  levels  of  access  to  trade  secrets  and  those  who  are 
known  to  be  leaving  for  a  competitor,  and  target  those  indi¬ 
viduals  for  priority  hard  disk  imaging.  Imaging  is  important 
for  the  defense  in  a  trade  secrets  case  too.  Once  Easton  notified 
Warrior  of  its  suspicions,  the  security  team  at  Warrior  should 
have  immediately  created  a  mirror  image  of  Ghassemi’s  drive 
(whether  or  not  they  did  is  unclear).  After  all,  the  judge  himself 
said  in  his  ruling  on  the  motion:  “Warrior  should  have  done 
more  to  detect  and  preserve  the  relevant  data  under  Ghas- 
semi’s  control.” 

2  Don’t  poke  around.  This  is  the  first  of  two  cardinal 
sins  companies  should  not  commit.  The  emotional 
impulse  of  someone  who  feels  violated  is  to  immediately 
start  rifling  through  the  suspect’s  computer  looking  for  the 
smoking  gun.  Don’t.  Think  of  the  computer  as  a  crime  scene. 
Just  as  you  wouldn't  go  around  picking  up  bullet  shells  or 
putting  your  fingerprints  on  weapons  found  at  the  scene,  you 
don’t  want  to  start  accessing  files,  plowing  through  e-mails  or 
otherwise  tainting  the  evidence.  The  more  you  do,  the  more 
the  defense  can  argue  that  the  evidence  is  highly  unreliable, 
even  tampered  with.  Once  again,  this  advice  applies  to  the 
CSO  of  the  company  receiving  the  employee  too.  Ghassemi’s 
canceling  his  Yahoo  account  was,  in  effect,  a  severe  form  of 
poking  around. 

3  Don’t  redeploy  too  quickly.  You  don’t  want  to  eliminate 
the  scene  of  the  crime,  either.  Lange  says  viable  trade 
secret  cases  are  rendered  moot  when  a  suspect’s  machine  has 
its  drive  wiped  clean  and  is  redeployed  for  a  new  hire.  Espe¬ 
cially  for  computers  of  high-risk  employees,  IT’s  inventory 
efficiency  must  take  a  back  seat  to  preserving  evidence.  “The 
security  officer  needs  to  guard  that  computer  and  disk  image 
like  Fort  Knox,”  Lange  says. 

4  Add  arriving  employee  protocols.  As  part  of  accepting 
a  job,  have  employees  arriving  from  a  competitor  sign  a 
statement  affirming  they’ve  brought  no  sensitive  documents 
with  them,  making  sure  to  include  a  laundry  list  of  the  types 
of  documents  and  form  factors  that  are  verboten.  (Work  with 
counsel  on  this.)  Warrior  tried  to  add  something  like  this  to 
Ghassemi’s  employment  offer  after  Easton  contacted  them. 
Too  late.  Had  it  been  part  of  the  agreement  from  the  beginning, 
the  company  would  have  had  an  easier  time  making  the  argu¬ 
ment  it  eventually  did  to  the  judge.  The  judge  noted  that  while 
the  defendants  essentially  conceded  that  Ghassemi’s  actions 
support  an  inference  of  bad  faith,  they  argued  that  “the  con¬ 
duct... was  not  solicited  by  them  and  should  not  expose  them 
to  sanctions.”  But  the  judge  didn’t  buy  their  argument.  His 
ruling  against  Warrior  in  the  motion:  “At  least  negligence.” 


You  Can’t  Fool  the  Ref 


If  you  want  to  tick  off  a  judge, 
destroy  evidence.  Lawyers 
say  this  tactic  comes  up 
more  often  than  ever  because 
so  much  evidence  is  now 
electronic,  and  people  think 
they  can  delete  it  or  plead 
ignorance  over  how  technology 
works  as  a  defense  once  the 
evidence  is  destroyed. 

Be  warned:  Judges  aren’t 
buying  it.  In  a  ruling  on  Easton 
v.  Warrior  Lacrosse,  Judge 
Donald  A.  Scheer  wrote, 
"Destruction  of  evidence  is 
prejudicial  to  an  opposing 
party,  and  undermines  the 
litigation  process."  In  other 
words,  Not  in  my  house.  A 
few  other  recent  cases: 

Anderson  v.  Crossroads 
Capital  Partners,  LLC  In  this 
sexual  harassment  case,  after 
a  "protracted  discovery  battle” 
the  plaintiff  was  compelled 
to  give  the  defendant  her 
computer  without  deleting  any¬ 
thing.  Specifically  the  defense 
was  looking  for  an  October 
2001  document.  But  forensics 
discovered  1)  data-wiping 
software  called  CyberScrub 
had  been  installed  and  2)  the 
hard  drive  had  been  manufac¬ 
tured  in  August  2002— indicat¬ 
ing  that  the  original  drive  with 
relevant  documents  on  it  had 
been  swapped  out.  The  plaintiff 
claimed  she  didn’t  destroy  evi¬ 
dence  with  the  wiping  software, 
she  used  the  software  only  to 
protect  files.  As  for  the  new 
hard  drive,  she  told  the  judge 
that  in  her  view  it  was  the 
same  computer  throughout  the 
litigation  despite  the  swap.  The 
plaintiff’s  "exceedingly  tedious 
and  disingenuous  claim  of 
naivete  regarding  her  failure 
to  produce  the  requested 


discovery.. .defies  the  bounds 
of  reason,”  the  judge  noted.  An 
adverse  inference  instruction 
was  given  to  the  jury,  because 
the  plaintiff  "destroyed 
evidence  and  attempted  to 
suppress  the  truth." 

Kucala  Enterprises  Ltd.  v. 
Auto  Wax  Co.  In  this  complex 
patent  infringement  case,  the 
plaintiff,  Kucala,  was  found 
to  have  installed  a  program 
called  Evidence  Eliminator 
on  two  of  his  computers  and 
run  it  on  one  of  them  the 
night  before  discovery  was 
scheduled  to  take  place.  The 
forensics  investigator  dis¬ 
covered  that  12,212  files  had 
been  deleted  and  overwritten 
that  night  and  an  additional 
2,968  had  been  eliminated 
three  days  earlier.  Kucala’s 
attorney  argued  that  there  was 
no  proof  he  deleted  anything 
but  personal  files.  The  court 
wrote:  "Any  reasonable  person 
can  deduce,  if  not  from  the 
name  of  the  product  itself, 
then  by  reading  the  website, 
that  Evidence  Eliminator  is  a 
product  used  to  circumvent 
discovery.”  The  judge  ruled 
the  "specious"  deletion  of  files 
“gross  negligence.”  In  sum¬ 
mary:  "Kucala  has  engaged 
in  egregious  conduct  by  his 
flagrant  disregard  of  a  court 
order  requiring  him  to  allow 
inspection  of  his  computer 
and  his  utter  lack  of  respect 
for  the  litigation  process."  The 
judge  recommended  dismissal 
and  payment  of  court  costs. 
However,  the  district  judge 
allowed  the  case  to  continue 
but  upheld  the  payment  of 
court  costs  related  to  discov¬ 
ery,  which  were  $93,125.74. 

-S.B. 


March  2007  www.csoonline.com  37 


investigations 


5  Add  departing  employee  protocols.  Likewise,  when  an 
employee  announces  he’s  leaving  for  a  competitor,  have  a 
piece  of  paper  ready  that  shows  him  what  he  can  and  can’t  take 
olf  his  computer.  Include  a  statement  that  images  of  hard  drives 
are  taken  as  standard  operating  procedure.  If  necessary,  have  a 
security  staffer  sit  with  the  person  as  he  collects  his  personal  files, 
such  as  pictures  of  the  kids.  This  will  help  protect  against  one 
of  the  most  common  defenses  offered  by  the  accused:  “I  didn’t 
know  it  was  a  trade  secret.”  Chaperoning,  or  at  least  providing  a 
list,  specifies  what  is  a  trade  secret. 

Prepare  an  incident  instruction  memo.  For  a  company 
like  Warrior  on  the  receiving  end  of  a  trade  secrets  misap¬ 
propriation  accusation,  a  quick  response  is  crucial  to  protect 
itself  from  ending  up  dealing  with  spoliation  motions.  CSOs 
should  prepare  a  form  letter  or  e-mail  that’s  sent  to  relevant 
employees  immediately  upon  accusation.  The  message  of  the 
letter  is:  You  have  an  obligation  to  preserve  evidence,  no  mat¬ 
ter  how  bad  you  may  think  it  makes  you  or  us  look.  Legal  prec¬ 
edent  establishes  that  manipulation  of  evidence  is  far  worse  (see 
“You  Can’t  Fool  the  Ref,”  Page  37).  Don’t  destroy  anything.  Specifi¬ 
cally,  instruct  the  employee  with  the  following:  Do  not  delete  any 
files  from  your  work  computer.  Do  not  transfer  any  files  off  your 
work  computer  to  other  computers  or  devices.  Do  not  throw  away 
or  destroy  storage  media  such  as  CDs  or  USB  keys.  Do  not  install 
or  use  hard  drive  wiping  products  like  Evidence  Eliminator.  Do  not 
delete  personal  e-mail  accounts  or  anything  in  them.  It  is  crucial  to 
expressly  mention  third-party  sources  such  as  Yahoo  accounts  and 
home  computers  as  requiring  preservation,  says  Phil  Gordon. 

7 Understand  modern  methods  of  trade  secret  misap¬ 
propriation  and  build  defenses  against  their  abuse. 

CD  burning.  USB  keys.  Public  e-mail  accounts  and  ubiquitous  net¬ 
work  access  make  keeping  secrets  harder  than  ever.  “It’s  much  easier 
to  misappropriate  trade  secrets  now,”  says  Gordon.  “It  used  to  be  you 
had  to  walk  out  with  a  big  box  of  documents.  Now  you  have  a  2-gig 
thumb  drive  and  no  one  knows.”  Lange  concurs  and,  having  seen 
enough  cases  involving  trade  secrets  being  spirited  away  on  tiny 
dongles,  she  suggests  CSOs  consider  disabling  CD  burners  and  USB 
drives  on  computers.  Just  prepare  for  a  revolt  by  iPod  users. 

8  Make  sure  employees  understand  that  on  computers, 
delete  doesn’t  actually  mean  delete.  To  be  sure,  CSOs  have 
lost  an  edge  in  preventing  trade  secret  misappropriation  because 
of  technology.  But  they’ve  gained  something  too.  Technology  leaves 
behind  more  fingerprints  than  paper.  What  many  fail  to  fully 
appreciate  is  that  everything  they  do  on  a  computer  leaves  behind 
some  bread  crumb  that  a  skilled  forensics  investigator  will  find. 
“It’s  a  huge  eye-opening  experience,”  says  Lange  of  employees  being 
confronted  with  electronic  evidence  they  thought  they  had  deleted 
or  successfully  obfuscated.  “We’re  frequently  asked  to  put  together 
a  timetable  [of  events  or  employee  actions],  and  I  think  it  fright¬ 


ens  people  sometimes  how  much  we  can  put  together  through 
forensics.”  A  good  rule  of  thumb  for  employees  to  understand  is 
that  there’s  no  such  thing  as  “delete.”  Programs  that  promise  to 
truly  delete  or  eliminate  digital  files  are  not  perfect  either,  and  in 
fact,  evidence  of  their  presence  or  use  often  has  a  negative  effect, 
making  the  employee  appear  as  if  he  has  something  to  hide. 

Bone  up  on  trade  secret  misappropriation  law.  Someone 
accusing  your  company  of  trade  secret  misappropriation  must 
prove  two  things.  First,  he  has  to  prove  that  what  was  taken  is  a 
trade  secret.  Second,  he  must  prove  that  it  was  taken.  “That  can 
be  more  difficult  than  you  think,”  says  Gordon. 

On  the  first  point,  the  defense  will  often  argue  that  if  something 
is  easily  observable  or  reverse-engineered,  it’s  not  really  a  trade 
secret.  Yes,  the  employee  might  have  taken  that  schematic  from 
his  old  computer,  but  “it’s  a  hockey  stick.  I  could  go  buy  one  and 
get  the  same  information,”  says  Gordon.  On  the  second  point,  prov¬ 
ing  someone  took  something  electronically  often  relies  on  cobbling 
together  one  of  those  forensic  time  lines  Lange  was  talking  about. 
But  often  that’s  essentially  a  string  of  circumstantial  evidence.  In 
Ghassemi’s  case,  in  which  the  plaintiff  had  quite  a  bit  of  informa¬ 
tion,  Easton  still  could  prove  only  that  Ghassemi’s  computer  “experi¬ 
enced”  a  CD  that  “appeared”  to  be  created  before  he  left  Easton.  No 
evidence  exists  to  prove  who  made  the  CD,  where  or  whether  files  on 
the  CD  were  even  opened  on  Ghassemi’s  Warrior  computer,  never 
mind  if  anyone  viewed  them.  In  other  words,  Warrior  would  be  in 
a  much  better  position  defending  itself  against  trade  secret  misap¬ 
propriation  if  there  were  no  spoliation  of  evidence,  no  adverse  infer¬ 
ence  instruction.  That’s  why  the  points  on  imaging  hard  drives  and 
communicating  the  obligation  to  preserve  evidence  are  crucial. 

Create  a  litigation  response  team.  The  idea  behind  a  litiga¬ 
tion  response  team,  Lange  says,  is  to  have  a  single  response 
to  an  accusation  rather  than  distinct  reactions  from  different  offices. 
“We  see  a  lot  of  mistakes  when  one  department  goes  down  its  own 
path  without  anyone  knowing,”  Lange  says.  The  team  should  be 
able  to  assemble  quickly  and  should  include  CSO,  counsel,  HR,  a 
forensics  expert,  IT  and  a  representative  of  the  company’s  ISR 

UBe  ethical,  no  matter  what.  A  trade  secret  misappropriation 
case  will  involve  many  employees  with  varying  ethics.  Some 
may  want  to  bend  or  break  the  rules  to  protect  themselves  or  the 
company.  Your  obligation  is  to  the  company,  but  also  to  the  Right 
Thing.  If  it  appears  support  is  rising  for  some  questionable  act,  you 
are  duty-bound  to  assert  why  it  would  be  wrong  and  the  ramifica¬ 
tions,  including  your  declining  to  participate  and  possible  need  to 
report  the  incident.  It  might  be  a  good  idea  to  show  them  a  copy  of 
trade  secret  misappropriation  cases  and  the  results  of  those  cases 
when  evidence  was  destroyed  or  manipulated.  Have  counsel  or 
forensics  experts  explain  why  such  acts  won’t  work  anyway.  ■ 


Send  feedback  to  Senior  Editor  Scott  Berinato  at  sbehnato@cxo.com. 


38  www.csoonline.com  March  2007 


HK 


he  new  iCLASS  readers: 


y 


r  I  iLv 

t^fe^v ,/Xv 


Price  ►  same  as  Prox. 


fe'-v' 

| 

11 

V. 


Installation  ^  same  as  Prox. 


IfcCv.V:  r> 

i 


Power  Requirement  ►  same  as  Prox. 


Security  \  same  as  Alcatraz. 


K. 

b. 

sp*?' 

■■■Sr  i  - 

i 

■  tii' 

1 

I 

2 

r~ 

H 

4 

5 

r~ 

r 

7 

8 

r~ 

r 

% 

0 

r~ 

r 

hidcorp.com 


iCLASS  readers  offer  enhanced  security  with 
all  the  user-friendly  features  of  proximity. 

The  new  iCLASS  readers  are  virtually  identical  to  proximity  - 
in  power  requirement,  ease  of  use  and  installation,  even  price. 
The  only  difference  is  that  iCLASS  offers  enhanced  security 
through  encryption  and  mutual  authentication,  and  it’s  read/write 
capabilities  allow  you  to  add  functionality  such  as  biometrics, 
time  and  attendance,  PC  log-on  security  and  more.  Plus  iCLASS 
comes  from  HID.  So  there’s  a  lot  to  feel  secure  about. 


Please  visit  us  at  ISC  West,  booth  #13051 


By  Daintry  Duffy  and  Sarah  D.  Scalet 


HERE  ARE  many  paths  to 
alignment.  This  year’s  CSO 
Compass  Award  honorees 
have  sought  alignment— and 


T 


found  success— through  very  different 
means.  Their  strategies  vary  from  sagely 
anticipating  and  preparing  for  business 
risks,  to  humanizing  the  often  austere 
security  function,  to  advocating  metrics 
and  numbers  as  a  common  language  to 
bridge  the  communication  gap  between 
business  and  security  leaders.  We  asked 
each  honoree  to  share  with  us  his  or  her 
thoughts  on,  experiences  with  and  strate¬ 
gies  for  achieving  alignment. 


40  www.csoonline.com  March  2007 


’  3^V*8ai#6fc*;:’-  • .  ' 


mx, 


s* 


Metrics  Might 

George  Campbell 

Current  position:  Managing  Partner 
with  the  Business  Security  Advisory 
Group,  a  consultancy  composed  of 
several  former  CSOs  from  global 

CORPORATIONS. 

2002-2003;  PRESIDENT  OF 
International  Security  Management 
Association 

1998-2003:  ISMA  board  of  directors 
1994-2002:  CSO,  Fidelity  Investments 

DESPITE  THE  strides  that  secu¬ 
rity  organizations  have  made  post- 
9/11,  George  Campbell  believes 
that  CSOs  can  still  do  a  better  job  of  com¬ 
municating  their  core  value  to  the  business. 
“When  it  comes  to  seeing  security  as  really 
connected  to  the  brand  and  a  fundamental 
part  of  the  value  equation,  the  corner  office 
still  hasn’t  crossed  that  bridge.” 

But  surprisingly,  Campbell’s  remedy 
doesn’t  depend  on  getting  more  face  time 
with  the  CEO.  In  fact,  he  believes  that 
security  executives  focus  too  intently  on 
how  they  are  perceived  by  the  board  or  the 
CEO  to  the  detriment  of  building  relation¬ 
ships  with  the  many  other  constituencies 
they  serve  throughout  the  organization. 
“Whether  it’s  from  the  top  down  or  the  bot¬ 
tom  up,  you’ve  got  to  get  in  their  face  and 
understand  their  business,”  says  Campbell, 
who  is  64.  He  exhorts  CSOs  to  engage  their 
business  colleagues  by  saying,  “Here  are  the 
skills  we  have;  where  can  we  contribute  to 
making  you  more  successful?” 

Campbell  believes  that  metrics  are  funda¬ 
mental  tools  for  CSOs  who  want  to  influence 
policy,  effect  change  and  communicate  their 


value  to  the  organization.  He  recently  wrote 
“Measures  and  Metrics  in  Corporate  Secu¬ 
rity:  Communicating  Business  Value,”  pub¬ 
lished  by  the  CSO  Executive  Council  (www. 
csoexecutivecouncil.com ),  an  affiliate  of  CSO. 
In  the  book,  Campbell  discusses  what  data 
one  should  track  and  present,  how  to  pres¬ 
ent  it  and  to  whom.  He  suggests  that  CSOs 
need  to  develop  a  three-part  “dashboard”  of 
metrics:  one  section  for  items  like  a  safe  and 
secure  workplace  that  are  seen  as  the  direct 
responsibility  of  the  security  department, 
another  for  metrics  that  are  unique  to  their 
business  constituents  and  one  for  metrics 
that  are  unique  to  the  organization’s  suc¬ 
cess.  Some  need  constant  monitoring.  Oth¬ 
ers  (like  internal  misconduct  cases)  develop 
trends  over  time. 

Security  is  often  seen  as  a  nebulous 
function  with  its  own  obscure  language,  so 
metrics  can  be  a  tremendous  communica¬ 
tion  tool  for  bridging  the  gap  with  business. 
For  example,  if  a  CSO  can  go  to  a  business 
unit  and  give  them  the  leading  indicators 
that  show  that  they  are  heading  in  a  risky 
direction  with  the  vendors  they’ve  selected 
or  the  people  they  are  hiring— people  are 
getting  into  trouble  more  often,  there  are 
more  business  interruptions,  more  prob¬ 
lems  with  workplace  violence— that  is  a 
powerful  thing,  says  Campbell.  CSOs  need 
to  remember  that  “we  don’t  secure  the  com¬ 
pany,  we  are  facilitators,”  says  Campbell, 
“and  metrics  help  us  tell  a  story.” 

Read  more  at  CSOonline:  “How  to  Connect  with  Metrics” 
(audio  podcast),  www.csoonline.com/podcasts  |  “How 
to  Use  Metrics"  (book  excerpt),  www.csoontine.com/ 
read/080106/fea_metrics.html  |  “Smackdown”  (about  CSO 
role),  www.csoonline.com/read/020103/smackdown.html 


Putting  People  First 

Francis  D’Addario 

Current  position:  Vice  President, 
Partner  and  Asset  Protection  for 
Starbucks  Coffee 
1997-present:  Starbucks 
1990-1997:  director  of  loss 

PREVENTION,  HARDEE’S  FOOD  SYSTEMS 


Francis  d’ad  dario  believes 

that  the  opportunity  for  security  to 
be  relevant  in  any  business  orga¬ 
nization  lies  in  its  ability  to  provide  what 
he  calls  “just-in-time  security.”  When  he 
joined  Starbucks  in  1997,  it  was  in  the  wake 
of  the  botched  robbery  attempt  at  a  store 
in  the  Georgetown  section  of  Washington, 
D.C.,  where  three  Starbucks  employees  lost 
their  lives.  From  his  first  week  on  the  job, 
D’Addario  and  his  team  were  committed 
to  improving  safety.  They  introduced  time- 


lock  and  time-delay  safe  lock  technology 
and  closed-circuit  television  surveillance. 
They  built  security  into  new-store  designs, 
by  ensuring  that  would-be  robbers  could 
be  easily  observed  by  passersby.  They  track 
traveler  risk  and  they  involved  partners  and 
licensees  in  security-raising  efforts. 

With  more  than  12,400  coffeehouses 
worldwide,  security  has  become  a  critical 
component  of  Starbucks’  ability  to  attract 
and  retain  quality  employees.  “Partners  are 
our  number-one  priority,”  says  D’Addario, 
54.  “That’s  something  that  is  well-priori¬ 
tized  within  our  [corporate]  values,  and  it’s 
our  ability  to  be  an  employer  of  choice  that 
enables  us  to  grasp  opportunity'.” 

Through  communications  and  train¬ 
ing,  Starbucks  employees  receive  constant 
reminders  that  security  is  a  priority.  Staff 
undergo  workplace  violence  awareness 
training,  and  discuss  safety  at  monthly 
operational  meetings.  In  larger  markets, 
reminders  about  anonymous  risk  reporting 


PHOTO  TOP  LEFT  BY  DANA  SMITH;  RIGHT  BY  GARY  BENSON 


2007  Compass  Awards 


appear  on  biweekly  pay  statements. 

D'Addario  s  team  provides  just-in-time 
security  to  a  brand  operating  in  35  countries 
as  a  retailer,  manufacturer  and  distributor 
of  beverages,  food  and  entertainment.  The 
key,  he  believes,  is  to  keep  up  a  continuing 
conversation  with  business  leaders  and  cus¬ 
tomers  to  ensure  that  the  security  organiza¬ 
tion  meets  their  current  needs  and  enables 
their  growth  plans.  “We  have  to  make  sure 
that  the  manager  of  each  store  or  branch  or 
entertainment  business  has  the  reliable  loss 
prevention  capability  to  keep  people  safe 
and  protect  profit  and  loss,”  says  D’Addario. 
“We  have  to  understand  what  the  risks  are 
to  that  business,  what  markets  are  opening 
up  and  what  requirements  we’re  going  to 
have  to  adopt.” 

The  success  of  Starbucks  depends  on 
its  ability  to  find,  buy  and  transport  coffee 
from  around  the  world.  Among  the  risks 
Starbucks  faces  is  supply  chain  tamper¬ 
ing,  and  that  has  led  the  Starbucks  security 
group  to  develop  standards  and  technolo¬ 
gies  to  ensure  product  safety— everything 
from  proliferating  IS028001  standards 
for  container  security  and  authentication 
methods  for  trusted  agents  who  handle  con¬ 
tainers,  to  technologies  that  track  internal 
temperatures  and  humidity  to  ensure  that 
products  arrive  in  ideal  shape  for  consump¬ 
tion.  A  global  pandemic  represents  another 
threat.  D’Addario  has  been  working  with 
the  crisis  management  and  business  conti¬ 
nuity  groups  to  formulate  a  plan  that  could 
allow  the  company  to  nimbly  adjust  to  busi¬ 
ness  in  a  contagious  environment.  The  plan 
would  leverage  the  existing  drive-throughs 
and  some  storefront  locations  to  create  an 
all-carryout  enterprise.  “I  think  the  abil¬ 
ity  to  win  a  seat  at  the  table  is  to  have  the 
continuing  conversation  for  identifying  the 
relevant  risk  and  mitigating  it  in  a  relevant 
and  persuasive  way  that  is  measurable,”  says 
D’Addario.  “Then  continuously  reevaluate 
what  that  risk  looks  like.” 

Read  more  at  CSOonline:  “Where  the  Metrics  Are,” 
www.csoonline.com/read/020105/metrics.html  |  "Job 
Descriptions,"  www.csoonline.com/read/120103/ 
descriptions.html 


Call  Me  Anytime 

Deven  Bhatt 

Current  position:  CSO,  Airlines 
Reporting  Corp. 

2002-2004:  Corporate  Information 
Security  Manager,  Newell 
Rubbermaid 

1990-2002:  various  positions  in 
security  at  Frontier  Telephone 
culminating  in  Manager  of  Security 

FOR  DEVEN  Bhatt,  achieving 
business  alignment  means  taking 
a  very  personal  approach  to  his  job. 
Although  Airlines  Reporting  Corp.  (ARC) 
processes  $70  billion  worth  of  ticket  trans¬ 
actions  each  year,  security  was  a  one-man 
operation  when  Bhatt  joined  in  2004.  With 
limited  resources  at  his  disposal,  Bhatt 
learned  early  on  that  developing  good 
relationships  with  employees  across  the 
company  would  be  critical  to  creating  a 
security-conscious  culture. 

So  Bhatt,  49,  advertises  his  availability. 
When  he  conducted  a  mandatory  secu¬ 
rity  awareness  training  program  for  the 
company’s  450  or  so  employees,  he  handed 
out  a  brochure  that  contained  his  personal 
cell  phone  number.  (The  program  covers 
computer  security,  ID  theft,  fraud,  busi¬ 
ness  continuity  and  emergency  evacua¬ 
tions.)  “I  still  get  calls  in  the  middle  of  the 
night,”  says  Bhatt.  “That’s  fine.  I  really  want 
to  show  my  commitment.”  He  also  has  an 
open-door  policy  to  encourage  employees 
and  business  leaders  to  bring  him  problems 
rather  than  hide  them.  “We  can  always  find 
a  middle  ground”  for  a  solution,  says  Bhatt, 
who  adds  he  is  careful  never  to  blame  the 
messenger  for  sharing  information,  and  he 
encourages  employees  to  bring  up  any  issue, 
no  matter  how  trivial  it  seems. 

Now  that  his  department  has  grown  to 
seven  members,  Bhatt  has  deployed  his 
staff  to  sit  within  individual  business  loca¬ 
tions  to  serve  as  their  security  points  of  con¬ 
tact.  Initially  corporate  leaders  questioned 
whether  this  was  necessary,  and  employees 
were  worried  that  security  was  there  to  spy 


on  them  and  monitor  policy  compliance. 
But  Bhatt  was  able  to  show  that  this  was  a 
customer  service  move  designed  to  provide 
quick  results  to  security-related  needs. 

Bhatt  believes  there  is  a  clear  value  to 
providing  personal  attention.  He’s  even 
willing  to  play  the  fool  if  it  enhances  secu¬ 
rity  awareness.  He  put  together  a  Mission 
Impossible- style  spoof  film  for  his  secu¬ 
rity  awareness  event,  with  the  CEO  and 
other  executives  as  his  actors  and  playing 
the  Inspector  Clouseau  role  himself,  com¬ 
plete  with  pratfalls.  Although  the  film  was 
intended  to  educate  everyone  on  the  need 
for  general  security  and  the  Payment  Card 
Industry  (PCI)  standard  for  processing 
credit  card  data,  it  had  the  added  bonus 
of  humanizing  the  security  function.  Bhatt 
also  offers  employees  training  to  help  them 
with  physical  and  computer  security  at 
home.  “I  want  people  to  feel  this  from  their 
heart,  that  this  is  their  company,  and  secu¬ 
rity  is  their  responsibility,”  he  says. 

His  approach  has  paid  off  with  the  suc¬ 
cess  of  several  high-profile  projects  where 
failure  would  have  been  catastrophic  and 
where  employee  cooperation  was  crucial. 
ARC  was  the  first  company  in  the  airline 
travel  industry  to  get  its  PCI  compliance— a 
requirement  for  all  merchants  and  service 
providers  that  store,  process  or  transmit 
credit  card  data.  Bhatt  also  convinced  his 
CEO  and  executive  board  to  make  sup¬ 
porting  security  initiatives  like  these  two 
projects  a  prerequisite  to  receiving  annual 
bonuses.  ARC  completed  both  the  encryp¬ 
tion  project  and  awareness  training. 

Read  more  at  CSOonline:  “Winning  the  Gadget  Wars,”  www 
.csoonline.com/read/080105/gadget.html 


42  www.csoonline.com  March  2007 


PHOTO  BY  RON  AIRA 


Trusted  Information  Hub 

Dan  Lohrmann 

Current  position:  CISO,  state  of 
Michigan 

1997:  STARTED  WORKING  FOR  THE 
Michigan  state  government; 
Appointed  CISO  role  in  May  2002 
1985-1997:  NETWORK  ENGINEERING 
positions  with  ManTech 
International,  Loral  Aerospace  and 
the  National  Security  Agency 

THE  STATE  of  Michigan  may  have 
55,000  employees,  but  in  many 
respects  it’s  a  small  community. 
“People  have  been  around  a  long  time  in 
state  government  and  you  get  a  reputation,” 
says  Dan  Lohrmann,  Michigan’s  CISO.  “It’s 
very  important  to  be  someone  that  delivers.” 
For  that  reason,  Lohrmann  believes  that 
trust  is  the  cornerstone  of  a  well-aligned 
security  organization. 

One  of  his  techniques  for  achieving  that 
trust  is  to  try  to  “undercommit  and  over¬ 
deliver”  when  dealing  with  his  state  agency 
counterparts.  This  strategy  is  particularly 
important  in  state  government,  where 


funds  are  short  and  legacy  systems  are  plen¬ 
tiful.  He  makes  a  point  to  celebrate  security 
achievements  with  his  own  department  and 
the  business  units  that  helped  make  them 
possible.  “Thanking  them  enhances  the 
image  of  the  security  department  so  they 
start  to  think  of  us  as  partners  instead  of 


this  oversight  body,”  says  Lohrmann,  43. 

For  example,  Lohrmann’s  group  threw  a 
pizza  party  for  the  Department  of  Informa¬ 
tion  Technology  to  thank  them  for  helping 
reduce  the  number  of  vulnerabilities  on 
their  servers  (a  milestone  in  achieving  PCI 
compliance).  “By  showing  our  appreciation, 
it  helps  to  build  trust  and  change  the  per¬ 
ception  of  us  as  always  being  the  ones  who 
say  no,”  Lohrmann  says. 

Lohrmann  also  looks  for  ways  to  add 
value  beyond  the  basic  services  that  security 
is  expected  to  provide,  like  identity  verifica¬ 
tion  and  virus  protection.  By  installing  Web¬ 
filtering  technology,  he  was  able  to  save 
approximately  $700,000  a  month  in  spy- 
ware,  bandwidth  and  repair  cost  avoidance. 
Because  of  his  background  in  the  NSA  and 
his  work  with  the  Department  of  Homeland 
Security  on  behalf  of  the  National  Asso¬ 
ciation  of  State  Chief  Information  Officers 
(Nascio),  Lohrmann  has  relationships  in 
Washington  that  he  has  been  able  to  lever¬ 
age  on  behalf  of  some  of  his  state  agency 
directors.  “I’ve  been  able  to  work  on  issues 
that  were  of  interest  to  individual  directors, 
and  they  really  like  that  I’m  helping  them 
conduct  business  and  do  their  job.” 

He  has  been  able  to  share  insights  from 
his  work  at  Nascio  to  help  the  state’s  home¬ 
land  security  adviser,  Mike  McDaniel,  and 
establish  processes  for  a  new  homeland 
security  intelligence  center,  where  law 
enforcement,  public  safety  and  private- 
sector  participants  share  information. 
Lohrmann  says  he’s  also  been  able  to  help 
DHS  officials  in  Washington  understand 
state  and  local  homeland  security  issues. 

Lohrmann’s  efforts  to  build  those  trusted 
relationships  have  paid  dividends.  When 
the  Michigan  Department  of  IT  (MDIT) 
recently  undertook  a  Return  on  Security 
Investment  analysis,  the  results  convinced 
MDIT’s  state  agency  customers  to  double 
their  IT  security  spending  at  a  time  when 
the  state  budget  overall  has  been  cut. 

Lohrmann  says  he  continues  to  search 
for  ways  to  deliver  on  his  promises  when 
he  meets  with  his  state  agency  colleagues. 
“You  have  to  look  for  areas  where  you  can 


add  value  as  a  [security]  organization  and 
as  an  individual,”  he  says.  “If  you  can  always 
walk  away  from  those  lunches  with  a  little 
nugget,  you’re  going  to  have  a  reason  to  get 
back  together  again,  and  it’s  not  just  a  cour¬ 
tesy  call  anymore.” 

It  was  through  such  lunches  that 
Lohrmann  learned  that  his  security  group’s 
reputation  as  naysayers  to  new  initiatives 
needed  a  makeover.  His  answer:  find  ways 
to  say  yes,  securely.  His  initial  rejection  of  a 
wireless  network  access  gave  way  to  limited 
connectivity  that  satisfied  users  without 
sacrificing  security  standards. 

Read  more  at  CSOonline:  GovSpace,  Dan  Lohrmann's  blog: 
http://blogs.csoonline.com/blog/danJohrmann 


Team  Player 

Lisa  “LJ”  Johnson 

Current  position:  CISO,  Nike 
1998-present:  Nike,  various  security 

MANAGEMENT  POSITIONS 

1993-1998:  security  manager,  U.S.  Bank 

IT  HAS  been  said  that  you  can’t  truly 
understand  a  person  until  you  walk  a 
mile  in  her  shoes.  LJ  Johnson,  Nike’s 
CISO,  put  that  adage  to  shame  when  she 
recently  embedded  herself  within  her  com¬ 
pany’s  footwear  organization  for  a  year  to 
learn  how  she  could  help  with  intellectual 
property  protection. 

In  2004,  Johnson  took  the  bold  step  of 
removing  herself  from  the  security  group’s 
daily  operations  so  that  she  could  focus 
on  business  outreach  and  alignment.  She 
moved  her  office  across  the  building  and 
shifted  her  attention  to  strategic  planning, 
business  relationship  development,  and 
security  marketing  and  communication 
issues.  And  she  got  involved  in  activities 
where  she  would  meet  people  from  all  over 
the  company.  Sports— not  surprisingly— 
has  been  a  great  way  to  make  connections. 
Johnson  meets  people  by  playing  racquet- 
ball,  soccer  and  golf  and  gets  involved  in 
as  many  volunteer  opportunities  as  she 
can  make  time  for.  “You’re  interacting  with 


PHOTO  BY  KEVIN  FOWLER 


March  2007  www.csoonline.com  43 


2007  Compass  Awards 


people  that  you  don’t  bump  into  on  a  reg¬ 
ular  basis,  and  I  have  formed  some  good 
business  relationships,”  says  Johnson,  45. 
In  one  leadership  training  class  she  met 
a  woman  involved  in  product  quality  and 
counterfeiting  protection.  So  far,  they  have 
exchanged  ideas  and  hope  to  find  some 
ways  for  Johnson’s  group  to  help. 

Although  she  acknowledges  that  rela¬ 
tionship  building  is  an  organic  process, 
there  are  explicit  steps  that  security  execu¬ 
tives  can  take  to  help  it  along.  Johnson 
found  that  asking  business  executives  for 
30-minute  informational  interviews  can 
yield  good  results.  “It’s  an  opportunity  to 
ask  them  what  security  services  they  would 
like  to  see  and  if  there  are  things  you  could 
do  to  add  more  value  for  them,”  she  says. 
“People  will  give  you  a  ton  of  ideas.”  Johnson 
has  found  that  most  executives  are  open  to 
being  approached  like  this;  they  especially 
appreciate  it  when  you  follow  up  later  with 
some  action  items  or  ideas  from  the  talk. 

Johnson’s  most  dramatic  attempt  to 
get  closer  to  her  business  customers  came 
recently,  during  her  yearlong  experience 
working  with  the  footwear  organization 
to  learn  about  IP  protection.  “It  was  tricky 


juggling  my  other  job,”  she  admits,  “but  it 
made  such  a  big  difference  to  sit  next  to 
them,  to  go  to  their  staff  meetings  and  be 
a  part  of  their  team.”  She  says  she  found 
ideas  for  product  and  IP  protection,  and 
training  that  she  might  not  have  otherwise. 
It’s  a  technique  she  plans  to  try  again  in  the 


future  with  other  divisions. 

See  more  at  CSOonline:  “The  Team  Builder”  www 

.csoonline.eom/read/060105/teainbuilder.html 


Open  for  Business 

Lynn  Mattice 

Current  Position:  VP  and  CSO  of 
Boston  Scientific 
1992-1997:  Director  of  Corporate 
Security,  Whirlpool 
1980-1992:  Corporate  director  of 
security  at  Northrop  Grumman 

WHEN  LYNN  Mattice  picks  up 
a  book  or  magazine,  chances 
are  good  he  won’t  be  reading 
something  focused  on  security.  The  Har¬ 
vard  Business  Review,  maybe,  or  MIT 
Sloan  Management  Review,  to  stay  on  top 
of  the  latest  business  trends.  The  World 
Economic  Forum’s  Global  Competitiveness 
Report,  to  keep  up  to  date  on  the  global 
sales  environment.  Or  one  of  Soundview’s 
Executive  Book  Summaries,  which  have  led 
him  to  such  gems  as  Execution,  a  book  about 
getting  things  done  by  Honeywell's  CEO, 
Larry  Bossidy,  and  consultant  Ram  Charan. 

“I  need  to  be  on  the  leading  edge  of  the 
issues  that  are  taking  place  in  business,” 
says  Mattice,  VP  and  CSO  of  Boston  Sci¬ 
entific,  the  $7-8  billion  medical-supplies 
company  based  in  Natick,  Mass.  “When 
I’m  talking  with  the  business  community 
here,  I  need  to  communicate  with  them 
in  the  language  that  they  communicate  in. 
They’re  interested  in  business  results.” 

So,  while  security  is  certainly  what  Mat¬ 
tice  does— he  has  global  responsibility  for 
business  intelligence,  business  continuity 
and  a  fully  converged  corporate  security 
program,  including  information  security— 
his  focus  is  Boston  Scientific’s  business. 

Mattice  is  deeply  involved  with  sales 
efforts,  for  instance.  Boston  Scientific  has 
salespeople  or  distributors  in  more  than 
100  countries,  so  he  regularly  attends  sales 
meetings,  where  he  provides  intelligence 
about  what’s  going  on  in  different  parts  of 


the  world.  His  work  includes  ensuring  the 
safety  of  these  far-flung  teams. 

Mattice  also  helps  the  sales  group  under¬ 
stand  common  business  practices  in  other 
countries  and  make  sure  that  Boston  Sci¬ 
entific  isn’t  working  with  businesses  that 
require  bribes  or  are  likely  to  deal  in  counter¬ 
feit  or  gray-market  goods.  And  anytime  busi¬ 
ness  leaders  are  looking  at  expanding  into  a 
new  geographic  area,  he  helps  them  evaluate 
the  market  conditions,  environment,  politi¬ 
cal  situation  and  economic  risks. 

“We  cover  a  broad  range  of  issues  so  that 
people  don’t  go  into  a  country  blind,”  says 
Mattice,  who  is  53.  “You  need  to  know  how 
the  country  works.  It’s  understanding  your 
marketplace.  And  the  more  you  do  along 
those  lines  to  support  the  business,  the 
more  the  business  comes  to  you  and  wants 
to  engage  you.  When  you’re  providing  sup¬ 
port  and  information  that’s  important  to 
them  to  do  their  job,  then  you’re  viewed  as 
a  partner.” 

His  overriding  mantra?  “This  isn’t 
rocket  science.  This  isn’t  anything  that’s 
hidden  behind  smoke  and  mirrors,  and  it’s 
not  anything  special.  These  are  business 
processes.  We  are  working  to  help  refine 
the  effectiveness  of  the  company  in  every 
possible  way  that  we  can.” 

Read  more  on  CSOonline.com:  “Mix  Masters,”  about 
surviving  mergers,  www.csoonline.com/read/030103/mix 
. html ;  “Vet  Your  Outsourcer,”  www.csoonline.com/ 
read/100104/briefing_vet.html  ■ 


Daintry  Duffy  is  a  freelance  writer  based  in  Southbor- 
ough,  Mass.  Reach  Senior  Editor  Sarah  D.  Scalet  at 
sscalet@cxo.com. 


44  www.csoonline.com  March  2007 


PHOTO  LEFT  BY  TIM  JONES;  TOP  RIGHT  BY  CHRISTOPHER  NAVIN 


Advertisement 


SECURITY 


•  '  .  •  • 

_ _ _ v 


a  $$  A 


HACKISTAN 


Gross  national  product:  From  legal 
activities,  $5MM.  From  illegal  activities, 
$167  Billion. 


Per  capita  Income:  99%  live  on  less 
than  $1 0/week;  1%  cavort  like 
Donald  Trump 


Main  industries:  Key  logging,  yak  jerky 
production,  phishing 


Counterfeit  ATM  cards  per  capita:  17.3 


Chief  exports:  V1a@GRA  and  Ciali  s 


National  bird:  Roasted  vulture 


National  anthem:  “I  Sing  of  Proud 
Hackistan.  Land  of  My  Mother's 
Facial  Hair" 


©  2007  Fortify  Software  Inc. 


Hackistan  leader  shakes 
confidence  of  I.T.  world. 

Conventional firewalls  unable  to  withstand  expected  onslaught . 


The  conclusions  of  the  Hackistan  Study 
Group  (HSG)  offer  an  alarming  assess¬ 
ment  of  the  hacking  threats  posed  by 
this  rogue  nation. 

Hackistan  has  toyed  with  security  profes¬ 
sionals  ever  since  a  state-sponsored  team  of 
digital  terrorists  hacked  into  the  FAA  database 
and  put  Harry  Truman  on  a  no-fly  list.  But  the 
situation  is  worsening,  as  the  report  cites  “an 
alarming  investment  in  Hackistan’s  elite  Bot 
Army.”  It  noted  that  “the  growing  sophistication 
of  their  logic  bombs,  Trojans  and  SQL  injection 
techniques  is  gravely  disturbing.” 

Many  are  banking  on  California-based 
Fortify  Software,  a  leader  in  software  security,  to 
neutralize  these  threats.  Commenting  on  Fortify’s 
groundbreaking  approach,  the  report  said  that 
“protecting  applications  at  the  code  level  is 
increasingly  being  viewed  as  the  only  viable  path 
to  creating  confidence  in  a  very  dangerous  world.” 
Contacted  at  Fortify’s  global  headquarters, 


John  M.  Jack,  the  company’s  CEO,  was 
undaunted  by  Hackistan’s  bluster, 
commenting  that  “true,  for  the  rest  of 
the  security  industry  they  are  a  devas¬ 
tating  threat.  For  us,  they’re  amateurs 
who  couldn’t  break  into  my  daughter’s 
Kevin  Federline  lunch  box.”  He  added 


Lifetime  Despot  Zorkul 
of  Hackistan 


“We  are  able  to  identify  and  fix  vulnerabilities 
throughout  the  entire  development  process.  We 
anticipate  that  frustrated  hackers,  hungry  and 
broke,  will  have  to  move  back  in  with  their 
parents  in  record  numbers.” 

No  Hackistan  official  was  available  for  com¬ 
ment,  but  a  blog  post  that  is  believed  to  come 
from  a  senior  Hackistan  official  (or  even 
Lifetime  Despot  Zorkul  himself)  mocked  the 
security  efforts  of  government  and  industry, 
saying  that  “the  chances  of  the  world  getting 
serious  about  code  security  are  about  as  likely  as 
John  Jack  waking  up  with  a  full  head  of  hair.” 

“The  study  group  warned  against 
pro-Hackistan  propaganda  that  appears  on 
web  sites  like  www.discoverhackistan.com.” 


CEO  Jack  fired  back:  “I  have  ultimate 
confidence  that  our  products  Fortify  SCA, 
Fortify  Tracer  and  Fortify  Defender  will  block 
Hackistan’s  nefarious  plans.  Zorkul’s  desperation 
is  also  apparent;  he  has  chosen  to  attack  me  on 
the  follicle  level  because  they  are  powerless  to 
reach  us  on  the  code  level.” 


Leading  the  fight  against 
Hackistan  is  an  innovative 
high-tech  company  called  Fortify 
Software.  The  company  said  it  will 
not  rest  until  Hackistan  is  turned 
into  a  Club  Med  vacation  spot. 


REPRINTED  FROM  GLOBAL  SECURITY  UPDATE.  JANUARY  2007  •  JOIN  THE  FIGHT  AGAINST  HACKISTAN  •  GOTO  WWW.FORTIFYSOFTWARE.COM. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Michael  Friedenberg  •  508  935-4310 

Publisher 

Bob  Bragdon  •  508  935-4443 
Senior  Ad  Sales  Associate 
Christine  Hopkins  •  508  988-7836 
Eastern  Territory 
East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 
Western  Territory 
Senior  Regional  Sales  Manager 
Ai  Collins  -415  975-2686 
Regional  Sales  Manager 
Drew  Seifried  •  206  245-3328 

Integrated  Media  and  Online  Sales 
VP,  Integrated  Media  and  Online  Sales 
Jim  Alla  •  508  988-6763 
Online  Regional  Sales  Managers 
Tina  Dudarevitch  •  718  279-2396 
Lori  Kehoe  •  415  978-3329 
Online  District  Sales  Manager 
Sara  Mascall  •  415  978-3385 
Manager,  Online  Account  Services 
Danielle  Tetreault  •  508  988-7969 
Online  Account  Services  Specialist 
Valerie  Sumner  •  508  988-7877 
Online  Ad  Sales  Associate 
Devon  Slattery  •  415  975-2687 
Online  Advertising  Specialist 
Irina  Gabechiia  •  508  935-4414 
Online  Account  Services  Coordinator 
Hayley  Nickerson  •  508  988-7819 

Custom  Solutions  Group 

Vice  President 

Matt  Avery  •  508  935-4796 

Director  of  Sales 

Mary  Gregory  •  508  988-6765 

Executive  Editor 

Tom  Field 

Managing  Editor 

Jim  Malone 

Senior  Project  Manager 
Amy  Greenleaf 
Project  Managers 
Karen  Capland,  Amy  Freeman 


CSO  Executive  Council 
Managing  Director 
Bob  Hayes 

VP,  Research  and  Product  Development 

Kathleen  Kotwica 

Director,  IT  and  Product  Technology 

Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 
Elizabeth  Lancaster 

Production 
VP/Manufacturing 
Chris  Cuoco 
Production  Manager 

Heidi  Broadley 

Associate  Production  Manager 
Lisa  M.  Stevenson 

Executive  Programs 
VP,  Executive  Programs 
Ellen  Daly 

Director,  Business  Development 

John  Vulopas 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 
Per  Melker 

Senior  Conference  Producer 

Judith  Kittredge 

Event  Planner 

Sarah  Reagan 

Event  Coordinator 

Bethany  Whiffin 

Registration  Specialist 

Cress  O'Brien 

Client  Services  Specialist 

Erica  Foster 

Sales  Associate 

Nicole  Blackburn  •  508  935-4154 

Marketing 

Sr.  Director,  Marketing  Communications 
Sue  Yanovitch 

Sr.  Marketing  Communications  Specialist 
Susan  Murray 

Marketing  Communications  Specialist 

Lynn  Holmlund 

Circulation 
Senior  VP/Circulation 

Carol  A.  Spach 

Subscription  Services  Supervisor 
Tina  Pescaro 

List  Services 

Contact  Paul  Capone  of  IDG  List  Services  at 
508  370-0865  or  pcapone@idglist.com. 

Reprint  Services 

For  article  reprints  (100  quantity  or  more), 
please  contact  Keith  Williams 
at  PARS  International  at  212  221-9595,  ext. 
319,  or  e-mail  keith.wiiliams@parsintl.com. 
For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


CSO  Contact  Information 

Editorial/Advertising/ 

Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA  01701-9208. 
Periodicals  Postage  Rate  at  Framingham, 

MA  01701,  and  at  additional  mailing  offices. 
Canadian  Publications  Mail  agreement 
number  1902075.  CANADIAN  POSTMASTER: 
Please  return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions 

Copyright  2007  by  CXO  Media  Inc.  All 
rights  reserved.  Reproduction  of  material 
appearing  in  CSO  is  forbidden  without 
written  permission.  Send  requests  to 
Yadira  Pizarro,  PARS  International, 

212  221-9595,  ext.  231.  or  e-mail 
yadira@parsinti.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or 
personal  use  or  the  internal  or  personal  use 
of  specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per  copy  of  the 
article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive  Danvers,  MA 
01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy 
does  not  extend  to  contributed  articles 
followed  by  this  symbol:  %. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125. 

CSO  is  free  to  qualified  information 
executives.  To  all  others  the  one-year  basic 
rate  is  $70  for  the  United  States  and  Canada, 
$95  to  foreign  countries  (payable  in  U.S. 
funds  only).  The  single  copy  price  is  $9  to 
the  U.S.  and  Canada  and  $15  International. 
Please  allow  four  to  six  weeks  for  new 
subscriptions  to  begin. 

Change  of  Address 

Go  to  www.omeda.com/custsrv/cso  and 
follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to: 

CSO,  P.O.  Box  3482,  Northbrook,  IL  60065. 

Printed  in  the  USA. 


Index  of  Companies  and  Advertisers 


Company  Index 

Abercrombie  &  Fitch  . 11 

Airlines  Reporting  Corp . 40 

Apple  Inc . 24 

Banco  Azteca . 11 

Boston  University . 24 

Cisco  Systems  Inc . 20 

comScore  Networks  Inc . 24 

Condb  Nast  Publications . 24 

Deloitte  Development  LLC . 11,  24 

DigitalPersona  Inc . 11 

Business  Security  Advisory  Group . 40 

Dow  Jones  &  Company  Inc . 24 

Easton  Sports  Inc . 34 

Facebook . 24 

FMRCorp . 40 

FreeRainbowTables.com . 11 

Frontier  Telephone . 40 

Google  Inc . 24 

Hak.5 . 11 

Hardee's  Food  Systems  Inc . 40 

Hearst  Communications  Inc . 24 

IBM  Corp . 11 

International  Security 

Management  Association  . 40 

Kroll  OnTrak  Inc . 34 

Littler  Mendelson  PC . 34 

Loral  Space  and  Communications . 40 

ManTech  International  Corp . 40 

Microsoft  Corp . 11,  24 

Motion  Picture  Association  . 24 

MySpace . 24 

National  Center  for 

Missing  &  Exploited  Children . 24 

National  School  Boards  Association  . 24 

National  Security  Agency . 40 

New  Balance  Athletic  Shoe  Inc . 34 

Newell  Rubbermaid . 40 

News  Corp . 24 

Nike  Inc . 4, 11,  40 

North  Atlantic  Operating  Co.  Inc . 11 

Paramount  Pictures . 24 

Puma  AG  . 11 

RainbowTables.net . 11 

Reebok  Ltd . 11 

Security  Industry  Association  . 11 

Sentinel  Tech  Holding  Corp . 24 

Shmoo  Group.  The . 11 

Starbucks  Corp . 40 

Time  Inc . 24 

U.S.  Bancorp  . 40 

U.S.  Department  of  Justice  . 24 

Umbra  Ltd . 11 

University  of  California,  Davis  . 20 

University  of  Illinois . 20 

University  of  Maryland . 20 

Vivendi . 24 

Wesleyan  University . 24 

Xanga . 24 

Yahoo  Inc . 24,  34 

Advertiser  Index 

BigFix,  Inc . 5 

CA  . C4 

Cisco  Systems  Inc . 16a 

CXO  Media  Inc . 9, 17,47 

Fortify  Software  Inc . 45 

HID  Corp . 39 

IBM  Corp . 21 

Intel  Corp . 15 

I  SAC  A . 10 

ISC2  . C3 

Juniper  Networks  Inc . 13 

LURHQ/SecureWorks . 19 

Oakley  Networks  Inc . 8a 

Oracle  Corp . 7 

Sharp  Corp . 23 

Tumbleweed  Communications  Corp.  .  .  29,  31,  33 

Tyco  Fire  &  Security . 3 

VeriSign  Inc . C2 


46  www.csoonline.com  March  2007 


Get  the  CIO  Pocket  MBA  Advantage 


Register  now  as  space  is  limited! 

Management.bu.edu./exec/elc/ciopocket 

-  Or  contact  us  directly  at: 

Phone:617-353-4248 
Email:  elc@management.bu.edu 

The  early  registration  discount  rate  for  this  program  is  $4,245 
if  you  register  before  March  23rd.  After  March  23rd  the 
registration  rate  for  this  course  is  $4,995. 


April  23-27, 2007 


Boston  University's  Executive  Leadership  Center 
Boston  University  School  of  Management 

For  complete  program  details  visit 
management.bu.edu/exec/elc/ciopocket 


Business 

Technology 

Leadership 


rams 


A  Commitment  to  Excellence 

i  I ,  j  msf  g 

A  New  Era  In  Collaboratidn 


World-Class  Education  With  Real  World  Application 

Sessions  Presented  By 

Boston  University  Scholars:  j 

N.  Venkat Venkatraman 

-  M  J 

onu  " 

John  C.  Henderson-  / 

.  I  .  , 

and  other  distinguished  faculty 

Presented  by: 


CIO 


BOSTON 

UNIVERSITY 


www.cio.com/conferences 

f 


vttjf 


Ever  wonder  where  crime  jargon  comes 
from?  Here’s  a  selection  courtesy  of  Evan 
Morris,  “The  Word  Detective.” 

In  the  late  1800s,  you  could  buy  soft-soled 
shoes  made  of  gum  rubber  that  were  qui¬ 
eter  than  leather-soled  shoes.  Gumshoes 
were  quickly  discovered  by  thieves,  who 
would  gumshoe  through  the  jewelry  store. 
Later,  as  is  common  with  words,  gumshoe 
flipped  to  become  synonymous  with  detec¬ 
tive,  the  good  man  sneaking  around  to  find 
the  bad  men  sneaking  around. 

If  you  were  in  a  play  in  ancient  Rome  and 
you  weren’t  particularly  good,  the  audience 
would  clap  loudly  until  you  exited  the  stage 


in  disgrace.  It  was  "ejection  by  applause" 
or  in  the  Latin,  explodere.  Later,  explode 
came  to  mean  “to  drive  something  out,” 
usually  figuratively,  such  as  a  theory.  Then 
came  gunpowder  and,  gradually,  explode 
adopted  its  definition  of  a  sudden  physi¬ 
cal  violence.  Implode  was  an  ex  post  facto 
synthetic  creation;  it  didn’t  exist  in  Latin. 

Heist.  Sounds  like  it  might  have  a  neat 
story.  Alas,  it's  just  hoist  mispronounced. 

Here’s  an  ancient  Roman  bedtime  story: 
Venus  is  having  an  illicit  tryst.  A  child  god 
named  Harpocrates  discovers  her  and  her 
lover.  Enter  Cupid,  Venus's  son,  who  offers 
Harpocrates  a  beautiful  rose  in  exchange 


for  his  vow  of  silence  on  this  potentially 
reputation-damaging  affair.  As  late  as 
medieval  times,  roses  hung  above  dining 
room  tables  to  remind  guests  that  what 
was  said  at  the  table  stayed  at  the  table. 

It  was  sub  rosa,  under  the  rose,  or  secret. 

You  might  know  the  flowers  called  asters, 
which  look  like  stars.  Aster,  after  all,  is  the 
Latin  for  star.  The  study  of  asters,  astrol¬ 
ogy,  was  important  to  ancients'  lives.  To 
go  away  from  the  stars  or  against  the  stars 
was,  literally,  dis-aster,  hence  disaster. 

Urban  myth  suggests  being  caught 
red-handed  has  to  do  with  pistachio 
factory  workers  eating  nuts  off  the  line, 
only  to  get  caught  with  red  shell  residue  on 
their  hands.  Not  true.  The  red  on  the 
hands  is  blood,  the  evidence  of  murder. 

Starting  in  1204  and  for  650  years  after,  a 
town  outside  Dublin  held  an  annual  fair, 
notorious  for  its  crowded,  drunken,  rau¬ 
cous  violence.  In  1855,  Dublin  canceled  the 
fair  permanently  because  of  its  reputation. 
But  it  lives  in  infamy  to  this  day: 

The  Donnybrook  Fair. 

One  way  to  hunt  passenger  pigeons,  now 
extinct,  was  to  catch  one,  blindfold  it 
and  tie  it  to  a  stool.  The  frightened  pigeon 
would  flap  madly,  attracting  other  pigeons 
and  making  easy  pickings  for  the  hunter. 
Human  stool  pigeons,  orstoolies,  make 
the  hunting  easy  for  the  police. 

Speaking  of  police,  the  word  cop  often 
incites  etymological  speculation.  Some 
attribute  cop  and  copper  to  the  metal 
badges  of  police  uniforms.  Others  cite  acro¬ 
nyms  like  “Chief  of  Police"  and  "Constable 
on  Patrol.”  Most  likely,  though,  its  origin 
is  from  an  Old  English  verb  to  cop,  which 
meant  to  snatch  or  capture.  That  verb  came 
from  the  Latin  capere,  to  seize. 

Security.  From  the  Latin,  se  cura, 
without  care. 


48  www.csoonline.com  March  2007 


ILLUSTRATION  BY  RALPH  BUTLER 


(iscy 

SECURITY  TRANSCENDS  TECHNOLOGY 


DIFFERENT  COUNTRIES.  DIFFERENT  COMPANIES. 


SSCP 


ISO/IEC  17024 


^oRMA\ 

,<3  4r 


CISSP- 


T^V 


ISO/IEC  17024 


ONE  COMMON  LANGUAGE. 


SSCP  from  (ISC)2.  Credentialing  the  world’s  most  qualified  Information  Security  workforce. 

Businesses  worldwide  share  a  common  priority:  ensuring  their  information  security  policy  is  the  best.  Now  they  can 
share  the  same  language.  (ISC)2  has  credentialed  tens  of  thousands  of  the  world’s  most  qualified  information  security 
professionals,  in  over  100  countries  around  the  globe.  Equipped  with  an  SSCP  credential  from  (ISC)2,  your  information 
security  workforce  speaks  a  common  language.  Shares  common  platform  knowledge.  And  understands  how  best 
to  implement,  monitor  and  secure  your  information  security  organization.  Which  translates  into  a  more  secure 
business.  Speak  to  (ISC)2  today. 


For  DHL, 
the  powerful 
of  IT  delivers 
over  four  million 
promises  a  day. 


Unified  and  simplified  package  tracking:  a  logistical  dream. 

The  best  way  for  DHL,  the  world  leader  of  delivery  services,  to  move  more  packages  is  to 
move  more  information.  CA  software  solutions  helped  DHL  to  unify  and  simplify  its  global 
package  tracking  systems.  This  increased  efficiency  gave  DHL  the  ability  to  deliver  over 
one  billion  promises  more  accurately  each  year.  It's  more  proof  that  customer  service  is 
back  in  shipping.  Learn  how  CA  software  solutions  enable  enterprises  like  DHL  to  realize 
the  full  power  of  IT  at  ca.com/customers. 


Transforming 
IT  Management 


Copyright  ©2006  CA.  All  rights  reserved. 


